b'                                              UNCLASSIFIED\n\n\n\n\n                   UNITED STATES DEPARTMENT OF STATE\n               AND THE BROADCASTING BOARD OF GOVERNORS\n                               OFFICE OF INSPECTOR GENERAL\n\n\n          AUD-IT-13-03                           Office of Audits                        November 2012\n\n\n\n\n                      Audit of Department of State\n                     Information Security Program\xc2\xa0\n\n\n\n\nIMPORTANT NOTICE: This report is intended solely for the official use of the Department of State or the\nBroadcasting Board of Governors, or any agency or organization receiving a copy directly from the Office of\nInspector General. No secondary distribution may be made, in whole or in part, outside the Department of State or\nthe Broadcasting Board of Governors, by them or by other agencies of organizations, without prior authorization by\nthe Inspector General. Public availability of the document will be determined by the Inspector General under the\nU.S. Code, 5 U.S.C. 552. Improper disclosure of this report may result in criminal, civil, or administrative penalties.\n\n\n\n\n                                              UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n                                                                United States Department of State\n                                                                and the Broadcasting Board of Governors\n\n                                                                Office of Inspector General\n\n\n\n                                             PREFACE\n\n        This report is being transmitted pursuant to the Inspector General Act of 1978, as\namended, and Section 209 of the Foreign Service Act of 1980, as amended. It is one of a series\nof audit, inspection, investigative, and special reports prepared as part of the Office of Inspector\nGeneral\'s (OIG) responsibility to promote effective management, accountability, and positive\nchange in the Department of State and the Broadcasting Board of Governors.\n\n         In accordance with the Federal Information Security Management Act of2002 (FISMA),\nOlG performed an audit of the Department of State Information Security Program for FY 2012.\nTo perform this audit, OlG contracted with the independent public accountant Williams, Adley\n& Company, LLP. The contract required that the independent public accountant perform its\nevaluation in accordance with guidance contained in the Government Auditing Standards, issued\nby the Comptroller General of the United States. The public accountant\'s report is included.\nThe report is based on interviews with employees and officials of relevant agencies and\ninstitutions, direct observation, and a review of applicable documents.\n\n       The independent public accountant identified areas in which improvements could be\nmade, including the risk management program, security configuration management, security\nawareness and role-based training, plans of actions and milestones, account and identity\nmanagement, user provisioning process, continuous monitoring, remote access, continuity of\noperations program, information systems contingency planning, oversight of contractor systems,\nand capital planning.\n\n       OlG evaluated the nature, extent, and timing of Williams, Adley & Company\'s work;\nmonitored progress throughout the evaluation; reviewed Williams, Adley & Company\'s\nsupporting documentation; evaluated key judgments; and performed other procedures as\nappropriate. OlG concurs with Williams, Adley & Company\'s findings, and the\nrecommendations contained in the report were developed on the basis of the best knowledge\navailable and were discussed in draft form with those individuals responsible for\nimplementation. OIG\'s analysis of management\'s response to the recommendations has been\nincorporated into the report. Ol G trusts that this report will result in more effective, efficient,\nand/or economical operations.\n\n        I express my appreciation to all of the individuals who contributed to the preparation of\nthis report.\n\n\n\n                                       Harold W. Geisel\n                                       Deputy Inspector General\n\n                                         UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n\n\n                     WILLIAMS\n                     ADLEY\n\n\n                  Audit of the Department of State Infannation Securily I\'rogram\n\n\n\nNovember 7, 2012\n\nOflicc of Inspector General\nU.S. Department of State\nWashington, DC\n\nWilliams, Adley & Company-DC, LLP has pcrfonncd an audit of the Department of State\'s\n(DepartmcnI) In(annalion Securit), Program. We audited the Dcpartml\'l1I\'S compliance with the\nFederal Infonnation Security Management Act, Office of Mllnagcmcnt and Budget Tt."quirements,\nand N:lIionat Institute of Standards and Technology stwldards. We pcrfonnl"<l Ihis audit under\nContract No. SAQMMA10F2159. The audit was designed to meet the obje1::tives described in the\nreport.\n\nWe conducted this pcrfonnance audit in accordance with GQ~\'ern",enl Auditing Slandards, issued\nby the Comptroller General afthe United States. We communicated the results of our audit and the\nrelated findings and recommendations to the U.S. Department orState Offiee of Inspcctor General.\n\nWe appreciate the cooperation provided by State Department pcrsoMcl during the audit.\n\n\n\n\n                                  WlLUAMS, ADLEY & COMPANY. DC. LLP\n                            e_PtJbHc AceotH>_tl / ~1 c-wn..o,.\n          1250 H street. tNt. Suite 1150 \xe2\x80\xa2 Wuhlnuton. DC 2000f \xe2\x80\xa2 (202) 371 -UI7   F..: (202) 311-t111\n                                            _. wI \'~ . com\n\n\n\n\n                                           UNCLASSIFIED\n\x0c                                 UNCLASSIFIED\n\n\nAcronyms\nAD           Active Directory\nATO          Authorization to Operate\nBIA          Business Impact Analysis\nC&A          Certification and Accreditation\nCM           Configuration Management\nCOOP         Continuity of Operations Plan\nDepartment   Department of State\nDHS          Department of Homeland Security\nDS           Bureau of Diplomatic Security\nDS/SI/CS     Diplomatic Security/Security Infrastructure/Office of Computer Security\neCPIC        electronic Capital Planning Investment Control\nFAM          Foreign Affairs Manual\nFISMA        Federal Information Security Management Act\nGAGAS        Generally Accepted Government Auditing Standards\nGO           Global OpenNet\nHR/ER/WLD    Human Resources/Employee Relations/Work Life Division\nIRM/IA       Bureau of Information Resource Management, Office of Information\n             Assurance\nIT           information technology\nNIST         National Institute of Standards and Technology\nOIG          Office of Inspector General\nOIP          Orientation and In Processing\nOMB          Office of Management and Budget\nPOA&M        Plans of Action and Milestones\nSP           Special Publication\nSSA          Systems Security Authorization\nSSR          Significant Security Responsibilities\n\n\n\n\n                                 UNCLASSIFIED\n\x0c                                                           UNCLASSIFIED\n\n\n                                                        Table of Contents\nSection                                                                                                                                    Page\nExecutive Summary ........................................................................................................................ 1\xc2\xa0\nBackground ..................................................................................................................................... 6\xc2\xa0\nObjective ....................................................................................................................................... 6\xc2\xa0\nResults of Audit .............................................................................................................................. 6\xc2\xa0\nFinding A. Continuous Monitoring Program Needs To Be Improved .......................................... 7\xc2\xa0\nFinding B. End-to-End Configuration Management Process Needs Improvement ....................... 8\xc2\xa0\nFinding C. Standard Configuration Baselines for UNIX Need To Be Developed ...................... 10\xc2\xa0\nFinding D. Periodic Vulnerability and Compliance Scans Process and Capabilities Need\n          Improvement ............................................................................................................... 11\xc2\xa0\nFinding E. Account Management Processes in Active Directory Need To Be Improved ........... 13\xc2\xa0\nFinding F. The User Provisioning Process for Creating, Modifying, and Disabling Users\xe2\x80\x99\n           Accounts Requires Significant Improvement ............................................................. 15\xc2\xa0\nFinding G. Risk Management Framework Needs Improvement ................................................. 18\xc2\xa0\nFinding H. Information Security Training Requirements Were Not Enforced ........................... 20\xc2\xa0\nFinding I. Plans of Action and Milestones Are Not Effective ..................................................... 21\xc2\xa0\nFinding J. Remote Access Policies and Procedures Need Improvement...................................... 23\xc2\xa0\nFinding K. The Continuity of Operations Program Needs To Be Improved ............................... 24\xc2\xa0\nFinding L. Information System Contingency Plans Need To Be Improved ................................ 26\xc2\xa0\nFinding M. Oversight of Contractor Systems and Extensions Needs Improvement ................... 27\xc2\xa0\nFinding N. Security Capital Planning Requires Improvement .................................................... 28\xc2\xa0\nList of Current Year Recommendations ....................................................................................... 31\xc2\xa0\nA. Scope and Methodology........................................................................................................... 35\xc2\xa0\nB. Follow-up of Recommendations From the FY 2011 FISMA Report ...................................... 39\xc2\xa0\nC.End-to-End Configuration Management Process Needs Improvement .................................... 45\xc2\xa0\nD. Weak Active Directory User Account Management ............................................................... 48\xc2\xa0\nE.Sample Selection of Information Systems Listed in Information Technology Asset Baseline\n          Used for FY 2012 Audit \xe2\x80\x93 Vulnerability Assessment ................................................ 49\xc2\xa0\nF. Missing NIST SP 800-53, Revision 3, Baseline Security Controls.......................................... 51\xc2\xa0\nG. FISMA Reportable Systems That Have Not Completed the FY 2012 Contingency Plan Test52\xc2\xa0\nH. FISMA Reportable Systems Missing Alternate Processing Site Details ................................. 53\xc2\xa0\nI. Department of State Response ................................................................................................... 54\xc2\xa0\n\n\n                                                           UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n                                       Executive Summary\n\n        In accordance with the Federal Information Security Management Act of 2002 (FISMA),1\nthe Office of Inspector General (OIG) contracted with Williams, Adley & Company, LLP\n(referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this report), to perform an independent audit of the Department of State\n(Department) Information Security Program\xe2\x80\x99s compliance with Federal laws, regulations, and\nstandards established by FISMA, the Office of Management and Budget (OMB), and the\nNational Institute of Standards and Technology (NIST). Additionally, the results are designed to\nassist OIG in providing responses to FY 2012 Inspector General Federal Information Security\nManagement Act Reporting Metrics, dated March 6, 2012.\n\n        Overall, we found that the Department had implemented an information security program\nand had made progress during FY 2012, but we identified control weaknesses that significantly\nimpact the information security program. If these control weaknesses were exploited, the\nDepartment could experience security breaches. The FY 2011 FISMA report2 contained 19\nrecommendations intended to address security deficiencies, and the most significant of these\ndeficiencies involved the Department\xe2\x80\x99s risk management strategy and security authorizations,\nsecurity configuration management, Plans of Action and Milestones (POA&M), and the\ncontinuous monitoring program. Although we observed an increased level of effort to address\nthe findings we presented in previous years, only four of the 19 recommendations from the prior\naudit report were remediated and confirmed during the audit period. The FY 2012 FISMA report\ncontains 31 recommendations, with many repeat findings identified in the FY 2011 FISMA\naudit.\n\n        Collectively, the control weaknesses we identified in this audit, along with the\nweaknesses identified by OIG in the report Audit of Department of State Access Controls for\nMajor Applications,3 represent a significant deficiency, as defined by OMB Memorandum M-12-\n20,4 to enterprise-wide security, including the Department\xe2\x80\x99s financial systems. The weakened\nsecurity controls could adversely affect the confidentiality, integrity, and availability of\ninformation and information systems. A further compounding factor is that the Department had\nnot fully taken corrective action to remediate all of the control weaknesses identified in the FY\n2011 FISMA report.\n\n       The Department had taken action to resolve the continuous monitoring control\nweaknesses identified in the FY 2010 and FY 2011 FISMA reports on the Department\xe2\x80\x99s\ninformation security program by developing a formal continuous monitoring strategy to address\nframing and assessing risk, responding to risk, and monitoring risk, all of which are required by\nNIST Special Publication (SP) 800-39, \xe2\x80\x9cManaging Information Security Risk\xe2\x80\x9d, March 2011.\nAlthough the strategy was finalized in August 2012, the control processes supporting the\nimplementation of the continuous monitoring strategy had not been implemented. In addition,\nwe found that subnets within the system\xe2\x80\x99s boundary residing on ClassNet were not included in\n1\n  Pub. L. No. 107-347, title III.\n2\n  Evaluation of Department of State Information Security Program (AUD/IT-12-14, Nov. 2011).\n3\n  Audit of Department of State Access Controls for Major Applications (AUD/IT-12-44, Sep. 2012).\n4\n  OMB Memorandum M-12-20, \xe2\x80\x9cFY 2012 Reporting Instructions for the Federal Information Security Management\nAct and Agency Privacy Management,\xe2\x80\x9d Oct. 2, 2012.\n                                               1\n                                          UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\nthe periodic scans. Further, our review of the Department\xe2\x80\x99s remedial actions taken to resolve\nweaknesses identified in the FY 2010 and FY 2011 FISMA reports were not complete, and the\nfollowing repeat deficiencies were found:\n         \xef\x82\xb7   The scanning tools do not assess Oracle, the Department\xe2\x80\x99s most common database\n             management system, for configuration control weaknesses that could adversely\n             impact application access controls.\n\n         \xef\x82\xb7   Scanning results for routers, firewalls, and Demilitarized Zone servers were not\n             available in iPost;5 therefore, the results were not used in risk scoring.\n\n         \xef\x82\xb7   Security configuration baselines for UNIX had not been developed and published.\n             Without effective configuration management controls, sensitive data, systems, and\n             hardware are exposed to loss of availability, integrity, and confidentiality.\n\n        Although we found that the Chief Information Officer was taking actions to address the\nprior year\xe2\x80\x99s weaknesses with the configuration management controls, the configuration\nmanagement process continues to experience deficiencies in installing critical security patches\nwithin required timeframes.\n\n        The Department needs to improve account management processes in Active Directory6\n(AD) for OpenNet and ClassNet. From a population of 116,821 OpenNet AD user accounts, we\nidentified 5,717 accounts that had not been used (never logged on); 529 accounts (user, service,\nand mailbox) with passwords set \xe2\x80\x9cnot to expire;\xe2\x80\x9d 19,335 (user, service, and mailbox) accounts\nthat had been set to not require passwords; and 6,269 users that had not logged into their\naccounts between 2005 and 2011. Using a risk-based approach, we identified random instances\nof the findings mentioned on the ClassNet AD as well. Upon notification of the findings noted,\nthe Department implemented remedial actions to address the passwords set \xe2\x80\x9cnot to expire\xe2\x80\x9d for\nOpenNet AD user accounts.\n\n        The Department made significant progress in disabling user accounts of terminated\nemployees in a timely manner. From a population of 198 Foreign Service and Civil Service\nterminated employees (Domestic) and 186 Foreign Service and Civil Service terminated\nemployees (Overseas) during FY 2012, we found only five user accounts that had not been\ndisabled in a timely manner. In addition, we determined that the five user accounts for the\nterminated employees had last log-on dates after the dates the employees had been terminated.\nWe commend the Department for taking immediate remediation efforts to disable these accounts\nand for performing analyses to determine whether any unauthorized activities had been\nperformed on these accounts to resolve this finding. However, the Department\xe2\x80\x99s user\nprovisioning process for creating new users\xe2\x80\x99 accounts was not in compliance with the\n\n\n\n5\n  iPost is a system that provides the ability to monitor outputs of the various network monitoring applications. It\nallows key personnel to monitor network, computer, and application resources; check for potential problems; initiate\ncorrective actions; and gather performance, compliance, and security data for near real-time and historical reporting.\n6\n  Active Directory is a technology created by Microsoft that provides a variety of network services, such as\nidentification and authentication, and directory access.\n                                                    2\n                                               UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\nDepartment\xe2\x80\x99s Foreign Affairs Manual (FAM).7 We found that Network Access Request Forms\nhad not been received for four of a sample of 25 new user accounts created during FY 2012.\n\n        The Department\xe2\x80\x99s risk management program for information security needs improvement\nat the system level. We noted that system security plans for nine systems residing on the\nOpenNet did not comply with NIST SP 800-53, Revision 3, \xe2\x80\x9cRecommended Security Controls\nfor Federal Information Systems and Organizations.\xe2\x80\x9d In addition, the security authorization\nprocess was not properly managed on the Department\xe2\x80\x99s primary general support systems for\nunclassified systems. These deficiencies weaken the Department\xe2\x80\x99s risk management framework\nand its ability to assess, respond to, and monitor information security risk.\n\n        The Department needs to improve its process and procedures for role-based security-\nrelated training. The Department was not tracking and documenting significant security\nresponsibilities (SSR) training attendance, and it did not require role-based security-related\ntraining to be completed before authorizing access to the network. From a sample of 46 new\nemployees hired during FY 2012 with SSR (that is, Chief of Mission, Deputy Assistant\nSecretary, Information Management Specialist, Information Technology Specialist, Office\nDirector, and Security Engineering Officer), we found that all 46 employees had not taken the\nrecommended8 role-based security-related training course in the timeframe (that is, 6 months) as\nrecommended in the Information Assurance Training Plan.\n\n       The Department\xe2\x80\x99s POA&M process had not been fully and effectively implemented, and\nthe program remained noncompliant with OMB and Committee on National Security Systems\nrequirements.9 Although in August, 2012 the Department implemented a process to centrally\nmanage, address, and resolve security weaknesses identified on systems residing on the\nClassNet, the Department\xe2\x80\x99s bureaus had not implemented effective corrective actions to address\nthe POA&M control weaknesses within systems residing on the OpenNet in a timely manner.\n\n       Remote access controls can be improved. The Bureau of Information Resource\nManagement, Office of Information Assurance (IRM/IA), has a process in place to authorize\nremote access administration using Remote Desktop Protocol via Global OpenNet (GO) for\nadministrators, which contradicts 12 FAM 680, which prohibits the use of remote administration.\nWe requested a sample of Remedy tickets to test authorization requests for key fobs/tokens, and\nRemedy tickets evidencing service requests could not be located for 19 of 25 new employees.\n\n       The Department\xe2\x80\x99s Continuity of Operations Program was not operating effectively and\nwas not documented in accordance with NIST SP 800-34, Revision 1,10 and Federal Continuity\n\n\n7\n  12 FAM 622.1-2(b).\n8\n  The Department\xe2\x80\x99s Information Assurance Training Plan states: \xe2\x80\x9cThis training is recommended upon title\ndesignation; individuals should complete training within 6 months of assuming the position. Training is\nrecommended again once every 2 years for refresher purposes.\xe2\x80\x9d\n9\n  OMB Memorandum M-02-01, \xe2\x80\x9cGuidance for Preparing and Submitting Security Plans of Action and Milestones,\xe2\x80\x9d\nOct. 2001; OMB Memorandum M-04-25, \xe2\x80\x9cFY 2004 Reporting Instructions for the Federal Information Security\nManagement Act,\xe2\x80\x9d Aug. 2004; and \xe2\x80\x9cCommittee on National Security Systems Policy No.22,\xe2\x80\x9d Jan. 2012.\n10\n   NIST Special Publication 800-34, Rev. 1, \xe2\x80\x9cContingency Planning Guide for Federal Information Systems,\xe2\x80\x9d May\n2010.\n                                                 3\n                                            UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\nDirective 2.11 The Department is required by NIST to have a collection of plans to prepare for\nresponse, continuity, recovery, and resumption of mission/business processes and information\nsystems. Although contingency plans had been developed at the system level, the bureau level,\nand the national level, the Continuity of Operations Plan (COOP) for communications and the\ninfrastructure had not been documented at the Department level (entity). In addition, an entity-\nwide Business Impact Analysis (BIA) had not been documented to facilitate the coordination of\nthe recovery prioritizations of critical mission/business processes and services in the event of a\ndisruption.\n\n        The Department had not implemented an effective oversight program of its contractor\nhosted systems and extensions, specifically, government extensions. Not all government\nextensions (older sites) had been documented (that is, an OpenNet extension that exists at the\nBroadcasting Board of Governors and authorization memoranda were not available or did not\nexist).\n\n       Information security was not fully integrated into the Department\xe2\x80\x99s Capital Planning and\nInvestment Control process. IRM senior management needs to strengthen its oversight\nprocess of information technology (IT) investments. Our review of the business cases and OMB\nExhibits 30012 for the new enterprise-level IT investments (Application Services, Data Center\nServices/Hosting, and Deployment, Maintenance & Refresh) found that IRM exhibits were not\ncomplete because they were newly established Exhibits 300 this fiscal year. For example, we\nfound that Investment level Acquisition Plan, Earned Value, Integrated Program Team Charter,\nInvestment Charter, Project Charters (as appropriate), and Risk Management Plan were\nincomplete within electronic Capital Planning Investment Control (eCPIC).13\n\n        This report contains 31 recommendations to address security deficiencies identified in 14\nreportable areas, and we believe the most significant security deficiencies are the findings related\nto risk management strategy and security authorizations (Finding A), security configuration\nmanagement (Finding B), POA&Ms (Finding D), and the continuous monitoring program\n(Finding G).\n\n       In its November 7, 2012, response to the draft report (see Appendix I), the Department\nconcurred with 24 recommendations, partially concurred with two recommendations, and did not\nconcur with five recommendations.14 Based on the response, OIG considers 27\nrecommendations resolved, pending further action, and four (4) recommendations unresolved.\nBased on the response OIG added a new recommendation and revised three other\nrecommendations. This addition and revisions are noted in management\xe2\x80\x99s responses and OIG\xe2\x80\x99s\nanalyses, which are presented after each recommendation.\n\n\n\n11\n   Federal Continuity Directive 2, \xe2\x80\x9cFederal Executive Branch Mission Essential Function and Primary Mission\nEssential Function Identification and Submission Process,\xe2\x80\x9d Feb. 2008.\n12\n   OMB Circular No A-11, Exhibit 300, \xe2\x80\x9cCapital Asset Plan and Business Case Summary.\xe2\x80\x9d\n13\n   The Department of State\xe2\x80\x99s electronic Capital Planning Investment Control (eCPIC) portfolio management tool\nwhich is used for managing IT investments.\n14\n   In their response, management requested to divide the former Recommendation 15 into two recommendations.\nAfter the change, the final report now contains 31 recommendations.\n                                                  4\n                                             UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n        We reviewed the Department\xe2\x80\x99s remedial actions taken to address the reported\ninformation security program control weaknesses identified in the FY 2011 FISMA report.15 The\nstatus of each recommendation from the FY 2011 FISMA report is in Appendix B of this report.\n\n       Since FY 2011, the Department has taken the following actions to improve management\ncontrols:\n\n      \xef\x82\xb7   Developed automated process for the Foreign Service Institute\xe2\x80\x99s Cyber security tracking\n          system to update the user\xe2\x80\x99s AD account expiration date immediately after the student\n          completes the Cyber Security Awareness (PS800) training. This AD update extends the\n          user\xe2\x80\x99s account expiration date by 368 days. If the user fails to retake the test in 368 days,\n          the user\xe2\x80\x99s account expires and the user cannot access the system without manual\n          intervention by an administrator.\n\n      \xef\x82\xb7   Developed System Security Plan templates that comply with NIST Special Publication\n          800-53, Revision 3.\n\n      \xef\x82\xb7   Developed and implemented procedures to distribute quarterly POA&M Grade\n          Memorandums to the bureaus\xe2\x80\x99 and offices\xe2\x80\x99 senior management (executive director) as\n          required by OMB Memorandum M-04-25.16\n\n      \xef\x82\xb7   Revised the IRM/IA Contingency Plan Test Review Checklist to address the following\n          items:\n\n              o   Recovery and damage assessment procedures\n              o   Alternate recovery site details\n              o   Back-up procedures\n              o   Back-up test results for moderate- and high-impact systems\n\n      \xef\x82\xb7   Revised the Contingency Plan Policy to include an organization-defined frequency for\n          backup testing.\n\n      \xef\x82\xb7   Revised the FAM to require system owners to report to IRM/IA on the test results and\n          updates to the contingency plans.\n\n      \xef\x82\xb7   Established procedures to identify the total number of contractors who have access to the\n          Department\xe2\x80\x99s systems.\n\n      \xef\x82\xb7   Developed procedures that ensure that the IRM\xe2\x80\x99s Directorate of Business Management\n          and Planning track all obligations and expenditures for IT security investments.\n\n      \xef\x82\xb7   Developed procedures to provide a summary of non-major investments that make up the\n          IT infrastructure and other major investments.\n\n\n15\n     AUD/IT-12-14, Nov. 2011.\n16\n     OMB Memorandum M-04-25, Aug. 2004.\n                                                5\n                                           UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n      \xef\x82\xb7   Developed procedures to include the Unique Project Identifier in the Department\xe2\x80\x99s\n          POA&M database.\n\n                                              Background\n        Through FISMA, Congress recognized the importance of information security to the\neconomic and national security interests of the United States. FISMA requires each Federal\nagency to develop, document, and implement an agency-wide program to provide information\nsecurity for the information systems that support the operations and assets of the agency,\nincluding information and information systems provided or managed by another agency,\ncontractor, or source. FISMA provides a comprehensive framework for establishing and\nensuring the effectiveness of management, operational, and technical controls over IT that\nsupports Federal operations and assets, and it provides a mechanism for improved oversight of\nFederal agency information security programs.\n\n        FISMA assigns specific responsibilities to Federal agencies, NIST, OMB, and the\nDepartment of Homeland Security (DHS) in order to strengthen information system security. In\nparticular, FISMA requires the head of each agency to implement policies and procedures to cost\neffectively reduce IT security risks to an acceptable level. To ensure the adequacy and\neffectiveness of information system controls, FISMA requires agency program officials, chief\ninformation officers, chief information security officers, senior agency officials for privacy, and\ninspectors general to conduct annual reviews of the agency\xe2\x80\x99s information security program and\nreport the results to DHS.\n\n        On an annual basis, OMB, in coordination with DHS, provides guidance with reporting\ncategories and questions for meeting the current year\xe2\x80\x99s reporting requirements.17 OMB uses this\ndata to assist in its oversight responsibilities and to prepare its annual report to Congress on\nagency compliance with FISMA.\n\n                                               Objective\n       The objective of this audit was to perform an independent evaluation of the Department\xe2\x80\x99s\nInformation Security Program and practices for FY 2012 and included testing the effectiveness\nof security controls for a subset of systems as required.\n\n                                         Results of Audit\n        Overall, we found that the Department had implemented an information security\nprogram, but we identified control weaknesses that significantly impacted the Information\nSecurity Program. If these control weaknesses were exploited, the Department could experience\nsecurity breaches. Collectively, the control weaknesses we identified in this audit, along with the\nweaknesses identified by OIG in the report Audit of Department of State Access Controls for\nMajor Applications,18 represent a significant deficiency, as defined in OMB Memorandum M-\n\n\n17\n     OMB Memorandum M-12-20, Oct. 2, 2012.\n18\n     AUD/IT-12-44, Sep. 2012.\n                                                  6\n                                             UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n12-20,19 to enterprise-wide security, including the Department\xe2\x80\x99s financial system. The weakened\nsecurity controls could adversely affect the confidentiality, integrity, and availability of\ninformation and information systems. A further compounding factor is that the Department had\nnot taken corrective action to remediate all of the control weaknesses identified in the FY 2010\nand FY 2011 FISMA reports. To improve the Information Security Program and to bring the\nprogram into compliance with FISMA, OMB, and NIST requirements, the Department needs to\naddress the control weaknesses described.\n\nFinding A. Continuous Monitoring Program Needs To Be Improved\n        Although the Information Security Steering Committee published, in August 2012, a\ncontinuous monitoring and risk management framework strategy that addressed framing risk,\nassessing risk, responding to risk, and monitoring risk, the control processes supporting the\nimplementation of the continuous monitoring strategy had not been fully implemented. In\naddition, the Department\xe2\x80\x99s remedial actions taken to resolve weaknesses identified in the FY\n2010 and FY 2011 FISMA reports were not complete. Further, not all Windows servers (seven\nof the eight systems on ClassNet selected for testing) were reporting security posture information\nin iPost.\n        The continuous monitoring and risk management framework strategy did not address\nhow the Department planned to monitor the security posture of the components described, as the\ncomponents were not configured to report information into iPost (primary continuous monitoring\ntool used by the Department). The components are as follows:\n        \xef\x82\xb7   Oracle (the Department\xe2\x80\x99s most common database system)\n        \xef\x82\xb7   UNIX security configurations\n        \xef\x82\xb7   Network components (for example, routers and switches)\n        \xef\x82\xb7   Demilitarized Zone servers\n        The repeat conditions at the system scanning level occurred because the Bureau of\nDiplomatic Security (DS) and IRM were still working on a solution; DS and IRM agreed that the\nconditions still existed. The lack of an enterprise-wide continuous monitoring strategy and\nsecurity weaknesses of relevant IT components, such as databases and network devices, were not\nincluded in iPost.\n\n       NIST SP 800-3720 and NIST SP 800-53 CA-721 require that an organization-defined\ncontinuous monitoring strategy be implemented.\n\n        The causes for the conditions were as follows: (1) the Department had not finalized an\nenterprise-wide continuous monitoring program strategy to assist system owners in evaluating\nvarious control deficiencies and (2) Diplomatic Security/Security Infrastructure Directorate\n\n\n19\n   OMB Memorandum M-12-20, Oct. 2, 2012.\n20\n   NIST SP 800-37, \xe2\x80\x9cGuide for Applying the Risk Management Framework to Federal Information Systems,\xe2\x80\x9d Feb.\n2010.\n21\n   NIST SP 800-53, Rev. 3, CA-7, \xe2\x80\x9cContinuous Monitoring.\xe2\x80\x9d\n                                                7\n                                           UNCLASSIFIED\n\x0c                                                  UNCLASSIFIED\n\nOffice of Computer Security (DS/SI/CS) scheduled periodic vulnerability and compliance scans\nby subnet but did not include all of the subnets in the Foundstone22 configuration.\n\n        Not having a robust continuous monitoring program prevents the Department from\nunderstanding the security state of the information system over time. It also prevents the\nDepartment from effectively monitoring a highly dynamic network environment with changing\nthreats, vulnerabilities, technologies, and missions/business functions.\n           Recommendation 1. We recommend that the Information Security Steering Committee\n           finalize and implement an enterprise-wide continuous monitoring and risk management\n           framework strategy that addresses framing risk, assessing risk, responding to risk, and\n           monitoring risk.\n\n           Management Response: The Department concurred with the recommendation, stating\n           that it had provided the OIG with a document \xe2\x80\x9cspecific to\xe2\x80\x9d Finding A in the reports. The\n           Department further stated that this document would be presented to the \xe2\x80\x9cInformation\n           Security Steering Committee for review and approval\xe2\x80\x9d within the next 6 months.\n\n           OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n           be closed when OIG reviews and approves documentation showing that the Department\n           has developed and implemented a continuous monitoring strategy.\n\n           Recommendation 2. We recommend the Chief Information Officer, in coordination\n           with the Bureau of Diplomatic Security and the Bureau of Information Resource\n           Management, include, under its continuous monitoring program, an effective method to\n           monitor the security posture for non-Windows operating systems, databases, firewalls,\n           routers, and switches.\n\n           Management Response: The Department concurred with the recommendation, stating\n           that it \xe2\x80\x9cwill hold discussions and develop documentation identifying methods for\n           monitoring the security posture for non-Windows operating systems, databases, firewalls,\n           routers, and switches.\xe2\x80\x9d\n\n           OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n           be closed when OIG reviews and approves documentation showing methods to monitor\n           the security posture for non-Windows operating systems, databases, firewalls, routers,\n           and switches.\n\nFinding B. End-to-End Configuration Management Process Needs\nImprovement\n       Although the Department had taken actions to address the prior year noted weaknesses\nwith the configuration management controls, the weakness within configuration management\n\n\n22\n     A tool created by McAfee that performs vulnerability scans and generates reports with the results.\n                                                       8\n                                                  UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\nprocess still existed. We identified the following deficiencies as a result of vulnerability\nscanning analysis on selected systems (see Appendix D):\n       1. The bureaus were not installing critical security patches in a timely manner on 14 of 15\n          systems residing on OpenNet, including the general support system selected for testing.\n          (Details are in Appendix C.)\n\n       2. Systems were configured to allow unauthorized users access to system resources via\n          anonymous logins and passwords, default credentials, and unsecured access points.\n          (Details are in Appendix C.)\n\n        The FAM23 requires the installation of critical patches on workstations and servers at an\ninstallation rate of 100 percent and 90 percent for non-critical patches. Also, the FAM24 requires\nthat unique user accounts be used and passwords be changed\n\n        Responsibility for the implementation of configuration management controls for the\nsystems, operating systems, databases, and network is decentralized; it is fragmented among the\nvarious system owners, database administrators, and network administrators. Additionally, the\nInformation System Security Officers had not established and implemented a reporting process\nto verify that the responsible groups had implemented the security configuration patches and\nsoftware updates identified by DS and IRM. To correct these weaknesses, IRM/Enterprise\nNetwork Management, was implementing the end-to-end configuration management initiative,\nwhich includes a standard operating environment to support development of strong configuration\nmanagement plans for the computing environments commonly used throughout the Department.\n\n        Configuration management controls allow agencies to improve system performance,\ndecrease operating costs, increase security, and ensure public confidence in the confidentiality,\nintegrity, and availability of Government information. Without effective configuration\nmanagement controls, the Department increases the risks that Department sensitive data,\nsystems, and hardware will be exposed to loss of integrity and confidentiality. Additionally, the\nDepartment increases the risks that known security weaknesses will be exploited by individuals\nto perform unauthorized activities. The Department\xe2\x80\x99s decentralized patch management and\nconfiguration management processes and procedures do not ensure that all system and operating\nsystem security residing on the network will be properly patched to reduce the security exposure\nto other bureaus and system owners in a timely manner.\n\n           Recommendation 3. We recommend that the Chief Information Officer, in coordination\n           with the Bureau of Information Resource Management, Enterprise Network\n           Management, and the Bureau of Diplomatic Security, finalize and implement the Cyber\n           Security Architecture draft target architecture and initiative for end-to-end configuration\n           management.\n\n           Management Response: The Department stated that it \xe2\x80\x9cbelieves . . . the current\n           configuration management controls for the Standard Operating Environment (SOE)\n           platform have been fully documented and are operating effectively and efficiently\xe2\x80\x9d and\n23\n     5 FAM 1067.3 (b).\n24\n     12 FAM 622.1-3 (a).\n                                                9\n                                           UNCLASSIFIED\n\x0c                                                UNCLASSIFIED\n\n           that \xe2\x80\x9cfurther documentation of key components may be useful,\xe2\x80\x9d concluding that \xe2\x80\x9csuch\n           actions will be taken to meet the intent of this recommendation.\xe2\x80\x9d\n\n           OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n           be closed when OIG reviews and approves documentation showing that the Cyber\n           Security Architecture has been finalized and implemented.\n\n           Recommendation 4. We recommend that the Chief Information Officer, in coordination\n           with the Bureau of Consular Affairs, the Bureau of Administration, the Bureau of\n           Resource Management, the Office of Medical Services, the Bureau of Overseas Buildings\n           Operations, the Bureau of International Narcotics and Law Enforcement Affairs, the\n           Foreign Service Institute, the Bureau of Diplomatic Security, the Bureau of International\n           Information Program, and the Bureau of Information Resource Management, continue to\n           improve their processes to patch servers within their system boundary in a timely manner.\n\n           Management Response: The Department concurred with the recommendation, stating\n           that it \xe2\x80\x9cis continually improving processes to patch servers within their system boundary\n           in a timely manner\xe2\x80\x9d and that it will generate updates \xe2\x80\x9cperiodically via email or cable to\n           ensure that there is proper notification within the Department.\xe2\x80\x9d\n\n           OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n           be closed when OIG reviews and approves documentation showing how the Department\n           is improving its processes to patch servers in a timely manner.\n\nFinding C. Standard Configuration Baselines for UNIX Need To Be\nDeveloped\n       Although the Security Configuration Management Branch (SCM) had developed and\nimplemented security configuration baselines for Windows operating systems, database, network\ndevices, and Web applications, SCM had not developed and published the security configuration\nbaselines for UNIX.\n\n       The FAM25 states that Diplomatic Security/Security Infrastructure/Office of Computer\nSecurity (DS/SI/CS) is responsible for the development and updates of security configuration\nstandards of specific IT products that are used throughout the Department.\n\n       Because of the limited number of UNIX servers in use, SCM had not assigned the\nresources needed to develop the security configuration baselines for UNIX.\n\n        Configuration management controls allow agencies to improve system performance,\ndecrease operating costs, increase security, and ensure public confidence in the confidentiality,\nintegrity, and availability of Government information. Without effective configuration\nmanagement controls, the Department increases the risk that Department sensitive data, systems,\nand hardware are exposed to loss of availability, integrity, and confidentiality.\n\n25\n     1 FAM 262.6-2(1)(2)(3)(6)(7)(8)(9)(17)(18)(20) and (21).\n                                                     10\n                                                UNCLASSIFIED\n\x0c                                                 UNCLASSIFIED\n\n           Recommendation 5. We recommend that the Security Configuration Management\n           Branch develop and publish the security configuration baselines for UNIX in accordance\n           with the Foreign Affairs Manual.\n\n           Management Response: The Department concurred with the recommendation, stating\n           that it \xe2\x80\x9cwill review, develop and publish the security configuration baselines for UNIX,\n           as needed, in accordance with 12 FAM.\xe2\x80\x9d\n\n           OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n           be closed when OIG reviews and approves the security configuration baselines for UNIX\n           in accordance with the FAM.\n\nFinding D. Periodic Vulnerability and Compliance Scans Process and\nCapabilities Need Improvement\n       Although the Department had developed and implemented periodic vulnerability and\ncompliance scans using Foundstone Enterprise and Policy Auditor26 on Windows servers to\naddress prior audit recommendations, we determined that the following weaknesses still existed:\n\n           \xef\x82\xb7    Capabilities to periodically scan the following components for compliance and\n                vulnerabilities were not implemented:\n\n                    o   Oracle databases\n                    o   Applications\n                    o   Network devices (for example, routers and switches)\n                    o   UNIX operating systems\n                    o   Demilitarized Zone servers\n\n           \xef\x82\xb7    Foundstone is currently configured to scan by subnet; however, during the\n                independent vulnerability scan, we determined that seven of eight sampled systems\n                on ClassNet (including the ClassNet general support system) had subnets within the\n                system\xe2\x80\x99s boundary that were not included in the periodic scans. DS/SI/CS had taken\n                action to include the identified subnets in the Foundstone configuration for periodic\n                scanning.\n\n        The FAM27 states that DS/SI/CS is responsible for conducting continuous and directed\nnetwork- or application-specific vulnerability assessment testing, independent penetration\ntesting, and intelligence monitoring to identify specific risks to those systems and develops risk\nmitigation strategies to protect the Department\xe2\x80\x99s IT infrastructure.\n\n       Based on interviews with key personnel and review of documents supporting the\nprocesses and procedures, we identified the following causes for the weaknesses:\n\n\n26\n     A tool created by McAfee that performs compliance scans and generates reports with the results.\n27\n     1 FAM 262.6-2(20).\n                                                      11\n                                                 UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n       \xef\x82\xb7   Vulnerability and Compliance Scanning Tools had not been implemented to perform\n           periodic vulnerability and compliance scans on Oracle databases, Applications,\n           Network devices (for example, routers and switches), and UNIX operating systems.\n       \xef\x82\xb7   Discovery scans were not performed on a periodic basis to identity new components\n           added to the network.\n       \xef\x82\xb7   DS did not have the administrative credentials needed for Demilitarized Zone servers\n           to perform periodic scanning.\n\n        Configuration management controls allow the Department to improve system\nperformance, decrease operating costs, increase security, and ensure public confidence in the\nconfidentiality, integrity, and availability of the Department\xe2\x80\x99s information. Without effective\nconfiguration management controls, the Department increases the risks that Department sensitive\ndata, systems, and hardware will be exposed to loss of availability, integrity, and confidentiality.\n\n       Recommendation 6. We recommend that the Chief Information Officer, in coordination\n       with the Bureau of Diplomatic Security/Security Infrastructure/Office of Computer\n       Security, research, develop, and implement capabilities (for example, scanning tools) to\n       perform periodic network vulnerability and compliance scans on Oracle databases,\n       applications, network devices (for example, routers and switches), UNIX operating\n       systems, and Demilitarized Zone servers.\n\n       Management Response: The Department concurred with the recommendation, stating\n       that IRM/IA and DS had \xe2\x80\x9cpreviously identified these areas as requiring tools\xe2\x80\x9d; that the\n       process of identifying and acquiring the appropriate tools \xe2\x80\x9cwill continue\xe2\x80\x9d; and that once\n       the tools have been acquired, they \xe2\x80\x9cwill be incorporated into the Department\xe2\x80\x99s scanning\n       program.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n       be closed when OIG reviews and approves documentation showing that the vulnerability\n       and compliance tools specified have been incorporated into the Department\xe2\x80\x99s scanning\n       program.\n\n       Recommendation 7. We recommend that the Chief Information Officer, in coordination\n       with Diplomatic Security/Security Infrastructure/Office of Computer Security, update the\n       Foundstone configuration to include subnets and Demilitarized Zone servers that were\n       not included in the Foundstone configuration for periodic scanning and obtain the\n       administrative credentials needed to perform the scans and periodically perform\n       discovery scanning to identify new components added to the network.\n\n       Management Response: The Department concurred with the recommendation, stating\n       that IRM/IA and DS had \xe2\x80\x9cidentified these areas for improvement in the current scanning\n       capability\xe2\x80\x9d and were \xe2\x80\x9cworking collaboratively to establish this capability.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n       be closed when OIG reviews and approves documentation showing that the subnets and\n\n                                             12\n                                        UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n        Demilitarized Zone servers are included in the Foundstone configuration for periodic\n        scanning.\n\nFinding E. Account Management Processes in Active Directory Need To Be\nImproved\n       The Department needs to improve account management processes in AD for OpenNet\nand ClassNet. As first identified in the FY 2010 audit, OIG reported deficiencies in account\nmanagement, and we found that account management deficiencies still existed within AD for\nOpenNet and ClassNet.\n\n        From a population of 116,821 active OpenNet AD user accounts (see Appendix D), we\nidentified the following deficiencies:\n        \xef\x82\xb7    5,717 accounts created from 2002 to 2011 had not been used (never logged on). The\n             FAM28 requires user privileges to be reviewed annually to verify that privileges are\n             still appropriate.\n\n        \xef\x82\xb7    6,269 active user accounts had not logged on within the last 5 months. These user\n             accounts had last logon dates between 2005 and 2011. The FAM29 requires user\n             privileges to be reviewed annually to verify that privileges are still appropriate.\n\n      From a population of 121,702 active OpenNet AD accounts, including users, service, and\nmailbox accounts, we identified the following deficiencies:\n\n        \xef\x82\xb7    529 accounts had passwords set not to expire. The FAM30 requires passwords to be\n             changed at least every 60 days.\n\n        \xef\x82\xb7    19,335 accounts had been set to not require passwords. The FAM31 requires the\n             removal of non-permanent (that is, visitor and training) user accounts and passwords.\n\n        AD for ClassNet had similar deficiencies. Using a risk-based audit approach, we\nidentified instances of the same deficiencies on ClassNet as on the OpenNet AD; therefore, we\ndid not perform detailed analyses on the ClassNet AD.\n\n       The Department uses a decentralized and fragmented process to manage AD.\nSpecifically, each bureau and post is responsible for user account management (adding new users\nand removing or modifying existing users\xe2\x80\x99 accounts). System Administrators identified a bit flag\nwithin AD that was enabled to permit setting certain accounts to \xe2\x80\x9cnot require a password.\xe2\x80\x9d\n\n       Bureaus and posts that choose not to comply with the Department\xe2\x80\x99s security standards\njeopardize the safety and security of the entire network. Inadequate account and identity\n\n28\n   12 FAM 622.1-3(i).\n29\n   Ibid.\n30\n   12 FAM 622.1-3(j).\n31\n   12 FAM 622.1-3 (e) and (i).\n                                              13\n                                         UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\nmanagement controls increase the risk that temporary and active accounts may used by\nunauthorized Department and contractor personnel to perform unauthorized activities.\n       Recommendation 8. We recommend that the Chief Information Officer, in coordination\n       with respective System Administrators from all bureaus, take immediate action to remove\n       or lock accounts that do not require a password.\n\n       Management Response: The Department concurred with the part of the\n       recommendation for accounts that do not require a password, stating that IRM receives\n       automatic [AD] \xe2\x80\x9calerts when any account is created that does not require a password,\xe2\x80\x9d\n       which \xe2\x80\x9cresults in an immediate intervening response by IRM/IA.\xe2\x80\x9d\n\n       The Department did not concur with the part of the recommendation for accounts that\n       have not been used for 90 days, stating that this is a \xe2\x80\x9cseparate issue\xe2\x80\x9d and recommended\n       that this issue \xe2\x80\x9cbe addressed\xe2\x80\x9d in Recommendation 9.\n\n       OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n       be closed when OIG reviews and approves documentation showing that accounts that do\n       not require a password are removed or locked.\n\n       Based on the Department\xe2\x80\x99s response, Recommendation 8 has been modified to remove\n       reference to accounts that have not been used for 90 days.\n\n       Recommendation 9. We recommend that the Chief Information Officer, in coordination\n       with the Bureau of Diplomatic Security, revise the Foreign Affairs Manual to provide\n       authority to the Chief Information Officer to review and identify accounts not used within\n       the past 90 days and to de-activate such accounts and require the bureaus and posts to\n       recertify the user account prior to re-activating the account.\n\n       Management Response: The Department concurred with the recommendation, stating it\n       \xe2\x80\x9chas initiated actions in coordination with [DS] to revise the 12 FAM to include language\n       that provides authority to the [CIO] to review and identify accounts not used within the\n       past 90 days and to de-activate such accounts and require the bureaus and posts to\n       recertify the user account prior to re-activating the account.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n       be closed when OIG reviews and approves documentation showing that 12 FAM has\n       been revised and that the accounts not used within the past 90 days have been de-\n       activated and recertifed by bureaus and posts.\n\n       Recommendation 10. We recommend that the Chief Information Officer, in\n       coordination with bureau and post Data Center Managers and System Managers, require\n       the posts and bureaus to configure all accounts to expire passwords in accordance with\n       the Foreign Affairs Manual (that is, passwords must be changed every 60 days).\n\n       Management Response: The Department did not concur with the recommendation and\n       \xe2\x80\x9csuggest[ed] that the recommendation be closed. The Department stated that its \xe2\x80\x9cactions\n\n                                           14\n                                      UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n        are compliant with the applicable FAM\xe2\x80\x9d in that it \xe2\x80\x9crequires that user accounts be\n        configured to require an account password.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation unresolved and open because there\n        are accounts with passwords on the network that are set to not expire. However, OIG\n        modified the recommendation to require that passwords to be changed every 60 days in\n        accordance with the FAM. The recommendation can be closed when OIG reviews and\n        approves documentation showing that the Department has configured its accounts so that\n        passwords are changed every 60 days.\n\nFinding F. The User Provisioning Process for Creating, Modifying, and\nDisabling Users\xe2\x80\x99 Accounts Requires Significant Improvement\n       The Department had made significant progress in improving the user provisioning\nprocess; however, we found the following:\n        \xef\x82\xb7    From a population of 198 Foreign Service and Civil Service terminated employees\n             (Domestic) and 186 Foreign Service and Civil Service terminated employees\n             (Overseas), we identified user accounts for six terminated employees in the OpenNet\n             AD accounts that were not disabled and found that the user accounts had last logon\n             dates after the date of the employees\xe2\x80\x99 termination. Upon notification, the Department\n             disabled and removed these accounts from AD and conducted analyses to determine\n             whether any unauthorized activities had been performed on these accounts.\n\n        \xef\x82\xb7    Of the 25 samples selected for new user testing, we determined the following:\n\n                 o Four new user account request forms could not be located:\n                      \xef\x82\xa7 None of three new users in Kabul, Afghanistan.\n                      \xef\x82\xa7 One of 11 new users at the Foreign Service Institute.\n\n                 o Expiration dates were not set for either of the two users in the Office of the\n                   Secretary.\n        The FAM32 requires the data center manager and the system manager, in conjunction\nwith the Information System Security Officer, to revoke user access privileges for terminated or\ntransferred personnel. Personnel officers must notify the data center manager, the system\nmanager, and the Information System Security Officer immediately of any employee or\ncontractor with access to the system whose employment is being terminated for any reason. The\nFAM33 requires supervisors to complete a system access request form for each staff member who\nrequires automated information system access. The Department\xe2\x80\x99s procedure34 states that\nexpiration dates need to be set in AD to ensure that accounts lock after one year if the users do\nnot complete the annual Cyber Security Awareness Training.\n\n32\n   12 FAM 621.3-3.\n33\n   12 FAM 622.1-2(b).\n34\n   Department of State Global Address List (GAL) and Active Directory Standardization Guide, dated Feb. 24,\n2012.\n                                                  15\n                                             UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n         The user provisioning weaknesses occurred because the bureaus were not disabling\naccounts in a timely manner. Furthermore, in lieu of the Department of State Logon Request\nform, users in Afghanistan send emails via the Office of Orientation and In Processing (OIP)\ndirectly to IRM/Operations/Customer Service Office/Desktop Support Division IT Mart to create\naccounts for users in Afghanistan. Although all OIP Afghanistan computer account requests are\nsupposed to be entered into SharePoint by Program Assistants, OIP could not locate the emails\ninitiating the request for these accounts. The Foreign Service Institute could not locate the new\nuser access request form for the new user selected for testing. Because of the nature of the work\nperformed by members in the Office of the Secretary, AD accounts are not set to expire.\n        Ineffective user provisioning program procedures and practices increase the\nDepartment\xe2\x80\x99s risk of unauthorized access, use, disclosure, disruption, modification, or\ndestruction of information. These control weaknesses increase the potential for unauthorized\nactivities to occur without being detected timely and to adversely affect the confidentiality,\nintegrity, and availability of the data on the network.\n\n       Recommendation 11. We recommend that the Chief Information Officer, in\n       coordination with Bureau of Diplomatic Security, determine whether unauthorized access\n       was performed using the terminated employees\xe2\x80\x99 credentials and whether Department\n       information had been compromised.\n\n       Management Response: The Department concurred with the recommendation, stating\n       that \xe2\x80\x9ccorrective actions have been taken\xe2\x80\x9d by IRM \xe2\x80\x9cto disable and remove the accounts\xe2\x80\x9d\n       from AD and that analyses are conducted to determine where \xe2\x80\x9cany unauthorized activities\n       had been performed on these accounts.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n       be closed when OIG reviews and approves the documentation showing that the accounts\n       have been disabled and removed and an analysis of unauthorized activity has been\n       performed.\n\n       Recommendation 12. We recommend that the Chief Information Officer, in\n       coordination with Information System Security Officers and system administrators of the\n       Bureau of East Asian and Pacific Affairs, the Bureau of Near Eastern Affairs, the\n       Washington District of Columbia, and the Bureau of Western Hemisphere Affairs,\n       improve the process of disabling terminated employees user accounts in a timely manner.\n\n       Management Response: The Department concurred with the recommendation, stating\n       that it \xe2\x80\x9cwill initiate a policy that requires periodic review ensuring that\xe2\x80\x9d user accounts for\n       employees who have been terminated \xe2\x80\x9care disabled in a timely manner.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n       be closed when OIG reviews and approves documentation showing that user accounts of\n       terminated employees have been disabled in a timely manner.\n\n       Recommendation 13. We recommend that the Chief Information Officer, in\n       coordination with the Orientation and In-Processing Center, enforce the use of the\n       Department of State Logon Request form for new users in Afghanistan.\n                                               16\n                                       UNCLASSIFIED\n\x0c                                UNCLASSIFIED\n\nManagement Response: The Department concurred with the recommendation, stating\nthat \xe2\x80\x9ca process will be developed and implemented ensuring that new users in overseas\nlocations complete the Department of State Logon Request form.\xe2\x80\x9d\n\nOIG Analysis: OIG considers the recommendation resolved. The recommendation can\nbe closed when OIG reviews and approves documentation showing that the Department\nhas developed and implemented a process ensuring that new users in overseas locations\ncomplete the form.\n\nRecommendation 14. We recommend that the Chief Information Officer, in\ncoordination with Information Resource Management/Operations Directorate/Computer\nSecurity Office/Desktop Support Division, update the Information Technology Mart\nStandard Operating Procedures to reflect the updated account management procedures for\nnew users in Afghanistan.\n\nManagement Response: The Department concurred with the recommendation, stating\nthat it \xe2\x80\x9cwill develop and update procedures on account management for new users in\noverseas locations.\xe2\x80\x9d\n\nOIG Analysis: OIG considers the recommendation resolved. The recommendation can\nbe closed when OIG reviews and approves documentation showing the procedures on\naccount management for new users in overseas locations.\n\nRecommendation 15. We recommend that the Chief Information Officer, in\ncoordination with Office of the Secretary, develop and finalize exemptions/waivers to\nallow for the deviation from the standard of setting expiration dates for Office of the\nSecretary user accounts in Active Directory.\n\nManagement Response: The Department generally did not concur with the\nrecommendation \xe2\x80\x9cas stated\xe2\x80\x9d and suggested that the recommendation in the draft report\n\xe2\x80\x9cbe revised to separately address\xe2\x80\x9d two issues.\n\nBased on the response, OIG revised Recommendation 15 in the draft report to become\nRecommendations 15 and 16 in this final report.\n\nThe Department concurred with the new recommendation, stating that the Office of the\nSecretary \xe2\x80\x9calready has a procedure in place to set expiration dates manually for user\naccounts in [AD], a waiver to the automatic expiration policy will allow [the Office of the\nSecretary] to continue monitoring the accounts and modifying them manually to ensure\nno interruption in service and compliance with the relevant portions of the DS Security\npolicy.\xe2\x80\x9d\n\nOIG Analysis: OIG considers the recommendation resolved. The recommendation can\nbe closed when OIG reviews and approves the final policy on exemptions/waivers from\nthe standard of setting expiration dates for Office of the Secretary user accounts in AD.\n\n\n\n                                     17\n                                UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n          Recommendation 16. We recommend that the Chief Information Officer, in\n          coordination with Office of the Secretary, develop and implement a process that ensures\n          that Office of the Secretary users complete the required Cyber Security Awareness\n          Training on an annual basis.\n\n          Management Response: The Department concurred with the new Recommendation 16\n          in this report, stating that the Office of the Secretary \xe2\x80\x9cwill ensure\xe2\x80\x9d all employees receive\n          cyber security awareness training.\n\n          OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n          be closed when OIG reviews and approved documentation showing that Office of the\n          Secretary users are completing the required Cyber Security Awareness Training annually.\n\nFinding G. Risk Management Framework Needs Improvement\n         Although the Department had made progress to address prior year findings, weaknesses\nstill existed within the risk management process, particularly the security controls assessments.\nThe following discrepancies were noted with the controls:\n          \xef\x82\xb7   System security plans did not comply with NIST SP 800-53, Revision 3, for nine of\n              16 systems selected for testing residing on the OpenNet. (Details are in Appendix F.)\n\n          \xef\x82\xb7   The OpenNet general support system authorization to operate (ATO) expired in\n              August 2010, and the security controls assessment will not be completed until FY\n              2013.\n\n        OMB35 states that agencies\xe2\x80\x99 legacy information systems are expected to be in compliance\nwith NIST standards and guidelines within a year of the publication date unless otherwise\ndirected by OMB. Also, OMB Circular A-130, Appendix III, requires that general support and\nmajor systems\xe2\x80\x99 security controls be reviewed at least every 3 years or when a major change\noccurs.\n\n        The Department did not publish the updated Certification & Accreditation (C&A) Toolkit\nand required templates until December 2011, even though NIST SP 800-53, Revision 3, was\nfinalized in August 2009. The updates addressed the NIST SP 800-53, Revision 3, requirements.\nAlso, in February 2010, NIST SP 800-37, Revision 1, was released and introduced changes to\nthe security authorization process. As such, the Chief Information Officer extended the OpenNet\nATO through August 2011 in an effort to develop continuous security authorization by\nleveraging iPost capabilities to increase security while reducing costs. The ATO was then\nextended twice after August 2011, from March 2012 to December 2012. The decision to\nconduct the full security authorization was not made until February 2012.\n\n       Systems where assessments had not performed in accordance with NIST SP 800-53,\nRevision 3, might not possess the security controls needed to adequately mitigate the risk\nincurred by the use of information and information systems in the execution of organizational\n\n35\n     OMB Memorandum M-12-20, Oct. 2, 2012.\n                                                  18\n                                             UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\nmissions and business functions. Systems residing on OpenNet inherit controls from the\nOpenNet general support system. Since the OpenNet ATO had expired, Department officials\nmight not have the desired or required level of assurance that the inherited security controls, as\nimplemented, were effective.\n\n       Recommendation 17. We recommend that the Chief Information Office, in coordination\n       with Information Resource Management/Information Assurance, continue to review the\n       security authorization and annual assessments to ensure that Information System Owner,\n       Information System Security Officer, and Security Control Assessor for all Federal\n       Information Security Management Act reportable systems use the published Certification\n       & Accreditation Toolkit templates during the annual controls assessment to assess the\n       required National Institute of Standards and Technology Special Publication 800-53,\n       Revision 3, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems and\n       Organizations,\xe2\x80\x9d controls applicable and update the System Security Plan accordingly.\n\n       Management Response: The Department did not concur with the recommendation,\n       stating that it \xe2\x80\x9casserts that the referenced practices and controls are being fully\n       implemented.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation unresolved and open. OIG concurs\n       with the Department that the Department has implemented practices to ensure\n       compliance with NIST SP 800-53, Revision 3. However, the Department needs to make\n       progress regarding the security authorization process, since OIG identified nine of 25\n       system security plans that did not comply with the publication and the OpenNet general\n       support system authorization to operate (ATO) expired in August 2010.\n\n       This recommendation can be closed when OIG reviews and approves documentation\n       showing the Department is complying with NIST SP 800-53, Revision 3, as it pertains to\n       the applicable controls.\n\n       Recommendation 18. We recommend that the Chief Information Officer continue to\n       track the progress of the full authorization of the OpenNet general support system.\n\n       Management Response: The Department concurred with the recommendation, stating\n       that the Chief Information Officer, IRM/IA, and IRM\xe2\x80\x99s Office of Operations are all\n       \xe2\x80\x9cexpending significant time and resources to ensure [that] progress of the full\n       authorization of the OpenNet general support system is occurring.\xe2\x80\x9d The Department\n       further stated, \xe2\x80\x9cOngoing progress reports are submitted to the Chief Information Officer.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n       be closed when OIG reviews and approves documentation showing the full authorization\n       of the OpenNet general support system.\n\n\n\n\n                                             19\n                                        UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\nFinding H. Information Security Training Requirements Were Not Enforced\n\n        Although DS/SI/CS had made progress with the Information Security Training Program\nin FY 2012 to resolve the deficiencies identified in FY 2011, security control weaknesses still\nexisted.\n\n        We selected a sample of six SSRs identified in the Information Assurance Training Plan\nand identified 46 new employees who were assigned those responsibilities. We found that all 46\nof the new employees with SSR had not taken the Department\xe2\x80\x99s recommended role-based\nsecurity-related training courses as of May 22, 2012.\n\n        In addition, the FY 2011 evaluation found that the Department had established controls to\nidentify SSR positions and required role-based security-related training in the Information\nAssurance Training Plan; however, the Department was not tracking and documenting SSR\ntraining attendance.\n\n       IRM/IA and DS/SI/CS rely on employees to track their own role-based training. The\nDepartment had not established procedures to track and document compliance with SSR training\nattendance. Also, the IA Training Plan did not mandate when role-based training was to be\ncompleted.\n\n        The Information Assurance Training Plan recommends that personnel with significant\nsecurity responsibilities attend their designated role-based security-related courses within\n6 months of title designation and every 3 years thereafter for refresher training. Also, NIST SP\n800-53, Revision 3, requires the organization to provide role-based security-related training (i)\nbefore authorizing access to the system or performing assigned duties, (ii) when required by\nsystem changes, and (iii) on a periodic basis (defined by the organization) thereafter.\n\n        Employees and contractors who are in positions that are responsible for the security of\nthe organization\xe2\x80\x99s information and information systems need to be properly trained on how to\nprotect classified information. Without proper training, these employees and contractors could\ncreate a risk for the Department because they may cause vulnerabilities or security breaches,\nwhich increases the risk of a computer security incident that could result in a security breach or\nthe loss of sensitive data.\n       Recommendation 19. We recommend that the Chief Information Officer, in\n       coordination with Information Resource Management/Information Assurance and Office\n       of Computer Security (Diplomatic Security/Systems Integrity/Civil Service), update the\n       Information Assurance Training Plan to require newly hired and current employees and\n       contractors who are in positions that are responsible for the security of the organization\xe2\x80\x99s\n       information and information systems complete role-based security-related training before\n       authorizing access to the system or performing assigned duties and periodically thereafter\n       (for example, annually).\n\n       Management Response: The Department concurred with the recommendation, stating\n       that IRM/IA and DS/SI/CS \xe2\x80\x9chave initiated actions to update the Information Assurance\n\n                                             20\n                                        UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n          Training Plan and develop additional language on newly hired and current employees,\n          contractors, including role-based security-related training.\xe2\x80\x9d\n\n          OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n          be closed when OIG reviews and approves the finalized Information Assurance Training\n          Plan and additional language on newly hired and current employees, contractors,\n          including role-based security-related training.\n\n          Recommendation 20. We recommend that the Chief Information Officer, in\n          coordination with Information Resource Management/Information Assurance and all\n          bureaus, develop and implement monitoring processes and procedures to ensure that\n          personnel with significant security responsibilities receive the appropriate training in\n          accordance with the Information Assurance Training Plan.\n\n          Management Response: The Department concurred with the recommendation, stating\n          that IRM/IA and DS/SI/CS \xe2\x80\x9chave initiated actions to update the Information Assurance\n          Training Plan and develop additional language on newly hired and current employees,\n          contractors, including role-based security-related training.\xe2\x80\x9d\n\n          OIG Analysis: OIG considers the recommendation resolved. The recommendation can\n          be closed when OIG reviews and approves the finalized Information Assurance Training\n          Plan and additional language on newly hired and current employees, contractors,\n          including role-based security-related training.\n\nFinding I. Plans of Action and Milestones Are Not Effective\n       Various bureaus and offices, including the Bureau of Consular Affairs, IRM, the Bureau\nof Human Resources, the Office of Medical Services, the Bureau of Arms Control, Verification\nand Compliance, the Office of the Secretary, and the Bureau of Overseas Buildings Operations,\nwere not compliant with the Department\xe2\x80\x99s POA&M process.36\n      1. For systems residing on OpenNet:\n              a. 58 percent of the open POA&Ms (that is, 2,006 of 3,458) control weaknesses\n                 were overdue by more than 90 days. For example,\n                       i. 235 open POA&Ms were over 2 years old.\n                      ii. Bureau of Consular Affairs alone had 927 POA&Ms that were overdue.\n              b. There were 515 POA&Ms that were remediated from December 2009 to March\n                 2012, but verification had not been performed by the Bureau Executive,\n                 Information System Owner, or designee to close out those POA&Ms.\n              c. POA&M fields were not being consistently updated as required:\n                       i. For 2,858 POA&Ms (83 percent), resources were not budgeted.\n\n\n36\n     Department of State POA&M Toolkit.\n                                                21\n                                           UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n      2. For systems residing on ClassNet, 36 percent of open actions (that is, 365 of 1,006)\n         control weaknesses were overdue by more than 290 days. For example,\n              a. 39 open POA&Ms were over 2 years old.\n              b. The Office of the Secretary and IRM each had more than 100 open POA&Ms that\n                 were overdue.\n       POA&M is a tool that identifies tasks that need to be accomplished. It details resources\nrequired to accomplish the elements of the plan, any milestones in meeting the task, and\nscheduled completion dates for the milestones.37 The POA&M should also identify other non-\nfunding obstacles and challenges to resolving the weakness. POA&Ms must include all security\nweaknesses found during any other review done by, for, or on behalf of the agency. These plans\nshould be the authoritative agency-wide management tool, inclusive of all evaluations.38\n    Information System Owner or the Executive Director (or Designee) for a bureau is not taking\nthe following actions:\n          \xef\x82\xb7   Providing the resources needed to close actions.\n          \xef\x82\xb7   Taking management action, as needed, to ensure work is completed on schedule.\n          \xef\x82\xb7   Reviewing status (at least quarterly) by looking at relevant bureau POA&M tracking\n              database reports (after the database is updated for the quarter).\n\n        IRM/IA distributes a quarterly POA&M grading memorandum for OpenNet systems to\nBureau Executives. However, there is no requirement in the memorandum for responses to be\nprovided to IRM/IA as to what actions the bureaus intend to implement to ensure the outstanding\nPOA&Ms are closed out in a timely manner. At the conclusion of our fieldwork, IRM/IA had\nupdated the memorandum with the response requirement and stated that it would be\nimplementing this requirement in Quarter 4 of FY 2012 and that IRM/IA had been working with\nits counterparts within each bureau to reduce the number of outstanding POA&Ms.\n\n          Recommendation 21. We recommend that the Chief Information Officer, in\n          coordination with the Bureau of Consular Affairs, the Bureau of Information Resource\n          Management, the Bureau of Human Resources, the Office of Medical Services, the\n          Bureau of Arms Control, Verification and Compliance, the Office of the Secretary, and\n          the Bureau of Overseas Buildings Operations Bureau Executive Director or Information\n          System Owner, their equivalent, or a designee, ensure that responses are provided for the\n          Quarterly Plan of Action & Milestones Grade Memorandums to address how the bureaus\n          and offices plan to close out the outstanding plan of action and milestones, that the plan\n          of action and milestones completion dates for corrective actions that expired are updated\n          and the resources required for remediation are updated, that remediation actions\n          undertaken for plan of action and milestones are verified in a timely manner, and that\n          required fields within the plan of action and milestones are included (for example,\n          resources).\n\n\n37\n     OMB Memorandum M-02-01, Oct. 17, 2001.\n38\n     OMB Memorandum M-04-25, Aug. 2004.\n                                               22\n                                          UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n          Management Response: The Department concurred with the recommendation, stating\n          that IRM/IA and DS/SI/CS had \xe2\x80\x9ctaken action to include in the recently issued . . .\n          POA&M grading memos, instructions for the [b]ureaus to respond within 10 business\n          days on their plans to remediate and close open POA&M entries.\xe2\x80\x9d The Department\n          further stated, \xe2\x80\x9cA report of the responders has been sent to the Chief Information Security\n          Officer for further action and escalation.\xe2\x80\x9d\n\n          OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n          be closed when OIG reviews and approves documentation showing the instructions for\n          the bureaus to respond on their plans to remediate and close open POA&M entries and\n          documentation showing that report of the responders has been sent to the Chief\n          Information Security Officer for further action and escalation.\n\nFinding J. Remote Access Policies and Procedures Need Improvement\n        Remote access controls can be improved. IRM/IA has a process in place to authorize\nremote access administration using Remote Desktop Protocol via Global OpenNet (GO) for\nadministrators, which contradicts 12 FAM 680, which prohibits the use of remote\nadministration. 12 FAM 680 is outdated because it does not reflect business requirements for\nremote administration. The FAM39 states that remote access is only authorized for user-level\nprivileges; remote administration/maintenance is prohibited. Remote access for system\nadministration needs to be granted because of the time zone differences in the constituencies the\nDepartment of State serves overseas.\n\n        Additionally, supporting documentation was not provided and we were not able to test\nauthorization requests for key fobs/tokens. Remedy tickets evidencing service requests for key\nfobs/tokens for remote access could not be located for 19 of 25 new employees selected for\ntesting. The respective bureaus did not submit service requests for key fobs/tokens to the IT\nService Center, and as such, Remedy tickets could not be provided.\n\n        Lack of supervisory approval for remote access increases the Department\xe2\x80\x99s risk for an\ninsider to gain unauthorized remote access to the Department\xe2\x80\x99s systems. This would enable the\nperformance of unauthorized activities, such as modifying Department sensitive data, improperly\nreleasing sensitive data, or intentionally destroying sensitive data.\n\n          Recommendation 22. We recommend that the Chief Information Officer, in\n          coordination with the Bureau of Diplomatic Security, update the Foreign Affairs Manual,\n          12 FAM 680, to reflect the current process of granting administrators the capabilities for\n          remote administration (for example, allowing exception waivers for remote access\n          administration).\n\n          Management Response: The Department did not concur with this recommendation,\n          stating that the \xe2\x80\x9ccurrent 12 FAM policy is clear and unambiguous on this topic.\xe2\x80\x9d The\n\n\n39\n     12 FAM 682.2-3.\n                                               23\n                                          UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n       Department further stated that IRM/IA\xe2\x80\x99s policy on the exemption process \xe2\x80\x9cprovides that\n       each exemption is fully documented and available for review.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation unresolved and open. The FAM, 12\n       FAM 680, prohibits remote administration/maintenance, which conflicts with IRM/IA\xe2\x80\x99s\n       policy on the exemption process.\n\n       This recommendation can be closed when OIG reviews and approved documentation\n       showing that 12 FAM 680 has been updated to reflect the current process of granting\n       administrators the capabilities for remote administration.\n\n       Recommendation 23. We recommend that the Chief Information Officer, in\n       coordination with all bureaus and respective Executive Directors, improve their process\n       for submitting service requests to the Information Technology Service Center for key\n       fobs/tokens for new employees.\n\n       Management Response: The Department did not concur with the recommendation,\n       stating that it \xe2\x80\x9cis compliant with [OMB\xe2\x80\x99s] requirement to track fobs/tokens to identify the\n       personnel who participate in telework opportunities.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers this recommendation unresolved and open. The\n       correlation between users with key fobs/token and personnel who participate in telework\n       opportunities could not be determined. Service requests to the Information Technology\n       Service Center for key fobs/tokens are initiated by Telework Agreement Approvals.\n       From a sample of 25 users with key fobs/tokens, service requests for 19 users could not\n       be provided.\n\n       This recommendation can be closed when OIG reviews and approves the Department\xe2\x80\x99s\n       actions for improving the process for submitting service requests as specified.\n\nFinding K. The Continuity of Operations Program Needs To Be Improved\n       Contingency plans have been developed at the system level, bureau level, and even the\nnational level; however, the COOP for communications and the infrastructure were not\ndocumented at the Department level (entity). Also, an entity-wide BIA had not been\ndocumented to ensure the coordination of the recovery prioritizations of critical mission/business\nprocesses and services in the event of a disruption at the Enterprise Service Operation Center.\n\n       According to NIST SP 800-34, Revision 1, Federal Continuity Directive 2 provides a\nrequired template for a process-based BIA to identify the information systems that support\nCOOP functions for the process-based BIA.\n\n      IRM is focused on the Emergency Action Plan, which ensures the safety of Department\nemployees and bureau readiness, instead of the COOP, which contributes to the continuation of\ncommunications and the network for the entire Department. The Department had not modified\n\n                                            24\n                                       UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\nthe FAM to provide guidance and direction for the COOP development. During fieldwork of the\naudit, the Department was in the process of developing the BIA.\n\n       Without a BIA, the Department increases the risks that it will not recover primary\nmission-critical functions based on established recovery priorities. Critical mission/business\nprocesses and services will not be restored in the required timeframe in the event of a disruption.\n\n       Recommendation 24. We recommend that the Chief Information Officer, in\n       coordination with the Bureau of Diplomatic Security, update the Foreign Affairs Manual\n       to provide guidance and direction for Continuity of Operations Plan development and\n       implementation.\n\n       Management Response: The Department concurred with the recommendation, stating\n       that it \xe2\x80\x9cis currently working with DS to update the FAM.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n       be closed when OIG reviews and approves documentation showing that the portion of the\n       FAM described has been updated.\n\n       Recommendation 25. We recommend that the Chief Information Officer, in\n       coordination with the Bureau of Information Resource Management/Information\n       Assurance, perform an entity-wide Business Impact Analysis and develop a strategy to\n       prioritize recovery of the critical assets within the Department and align the Business\n       Impact Analysis of the primary mission-critical functions with Information Resource\n       Management\xe2\x80\x99s Maximum Tolerable Downtime for the network.\n\n       Management Response: The Department concurred with the recommendation, stating\n       that it \xe2\x80\x9chas taken corrective actions to develop a Business Impact Analysis.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n       be closed when OIG reviews and approves documentation showing that the entity-wide\n       Business Impact Analysis has been finalized.\n\n       Recommendation 26. We recommend that the Chief Information Officer, in\n       coordination with the Bureau of Information Resource Management/Information\n       Assurance, develop a Continuity of Operations Plan for communications and the\n       infrastructure at the Department level (entity) that complies with National Institute of\n       Standards and Technology Special Publication 800-34, Revision 1, Contingency\n       Planning Guide for Federal Information Systems, and includes the standard elements of a\n       Continuity of Operations Plan.\n\n       Management Response: The Department concurred with the recommendation, stating\n       that the Chief Information Officer and IRM/IA were developing a Continuity of\n       Operations Plan for communications that \xe2\x80\x9ccomplies with the applicable NIST guidance\n       and will include the standard elements of a Continuity of Operations Plan.\xe2\x80\x9d\n\n\n                                             25\n                                        UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n            OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n            be closed when OIG reviews and approves documentation showing the finalized\n            Continuity of Operations Plan for communications that complies with the applicable\n            NIST guidance and includes the standard elements of a Continuity of Operations Plan.\n\nFinding L. Information System Contingency Plans Need To Be Improved\n       Although the Department had made some progress in addressing the prior years\xe2\x80\x99 audit\nfindings for the information system contingency plans, weaknesses still existed as follows:\n\n        \xef\x82\xb7   Alternate processing site details were not documented in the Contingency Plans for five\n            of 16 systems residing on OpenNet and four of 10 systems residing on ClassNet that we\n            selected for testing. (Details are in Appendix H.)\n        \xef\x82\xb7   Annual Contingency Plan tests were not performed for FY 2012 on two of 16 systems\n            residing on OpenNet and four of 10 systems residing on ClassNet that we selected for\n            testing. (Details are in Appendix G.)\n\n       NIST 40 requires agencies to identify an alternate storage site that is geographically\nseparated from the primary storage site so as not to be susceptible to the same hazards and to\nconduct annual tests of backup information to verify media reliability and information integrity.\n\n        NIST41 requires an organization to perform tests and/or exercises of the contingency plan\nfor the information system. In addition, the IRM/IA Contingency Planning Toolkit requires\ntesting contingency plans on an annual basis.\n\n       The Department had a decentralized process for developing and implementing a system\xe2\x80\x99s\ncontingency plan and had not developed the processes to ensure bureaus comply with IRM/IA\nContingency Planning Toolkit to perform annual contingency plan tests and provide required\ndocumentation to IRM/IA.\n\n        By inadequately documenting the contingency plan, the Department increases the risk of\nfailing to maintain operations or to recover mission-critical systems in a timely manner in the\nevent of a signification disruption in operations. As a result, the Department increases its risk of\nfailing to meet its primary mission-critical functions and continue normal business activities of\nservice to the public and abroad.\n\n            Recommendation 27. We recommend that the Chief Information Officer, in\n            coordination with bureaus and the Information System Owners, document and maintain\n            alternate site locations and procedures for accessing the alternate site and perform annual\n            contingency plan tests and update contingency plans with test results as necessary.\n\n            Management Response: The Department concurred with the recommendation, stating\n            that IRM/IA had taken c\xe2\x80\x9dorrective actions to incorporate checklists questions regarding\n\n\n40\n     NIST SP 800-53, Rev. 3, CP-7, \xe2\x80\x9cAlternate Processing Site.\xe2\x80\x9d\n41\n     NIST SP 800-53, Rev. 3, CP-4, \xe2\x80\x9cContingency Plan Testing and Exercises.\xe2\x80\x9d\n                                                    26\n                                               UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n          the existence of alternate site locations, as well as procedures for accessing these\n          facilities.\xe2\x80\x9d\n\n          OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n          be closed when OIG reviews and approves documentation showing the finalized checklist\n          questions regarding the existence of alternate site locations, as well as procedures for\n          accessing these facilities.\n\nFinding M. Oversight of Contractor Systems and Extensions Needs\nImprovement\n       Efforts to strengthen the Department\xe2\x80\x99s oversight of contractor/government system and\nextension program had been made; however, weaknesses still existed as follows:\n\n       \xef\x82\xb7 The Gateway to State and Foreign Service Officer Test systems, each identified as\n         Contractor Company Hosted Systems within the IT Asset Baseline system, had system\n         security plans that were not compliant with NIST SP 800-53, Revision 3, requirements.\n\n       \xef\x82\xb7 Not all government extensions (older sites) had been documented (that is, an OpenNet\n         extension that exists at the Broadcasting Board of Governors and authorization\n         memoranda were not available or did not exist).\n\n       OMB42 requires agencies to be fully responsible and accountable for ensuring contractor\nsystems are compliant with FISMA. Agencies must ensure identical, not \xe2\x80\x9cequivalent,\xe2\x80\x9d security\nprocedures.\n\n        IRM did not publish the updated C&A Toolkit until December 2011, even though NIST\nSP 800-53, Revision 3, was finalized in August 2009. OMB requires compliance with new\nspecial publications within a year unless otherwise stated. For the OpenNet extensions, IRM\nonly tracked extensions at contractor sites and did not consider other Government agencies as a\ncontractor.\n\n        Without adequate oversight of contractor-hosted systems, government extensions, and\ncontractor extensions, the Department cannot ensure that the contractor\xe2\x80\x99s information security\ncontrols are compliant with FISMA, OMB requirements, and NIST standards. Further, the\nDepartment increases the risk to the Department data for unauthorized access, use, disclosure,\ndisruption, modification, or destruction that is collected, processed, and maintained by\ncontractor-hosted systems, government extensions, and contractor extensions.\n          Recommendation 28. We recommend that the Chief Information Officer, in\n          coordination with the Bureau of Diplomatic Security, continue to ensure that annual\n          physical inspections are completed for all OpenNet and ClassNet extensions.\n\n          Management Response: The Department concurred with the recommendation, stating\n          that it \xe2\x80\x9cwill continue to ensure compliance with established schedules.\xe2\x80\x9d\n\n42\n     OMB Memorandum M-12-20, Oct. 2, 2012.\n                                                  27\n                                             UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n       OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n       be closed when OIG reviews and approves documentation showing the Department\xe2\x80\x99s\n       progress in complying with established schedules.\n\n       Recommendation 29. We recommend that the Chief Information Officer, in\n       coordination with the Bureau of Information Resource Management/Information\n       Assurance, continue to review System Security Assessment packages, annual controls\n       assessments, and contingency plans tests to ensure that bureaus are implementing the\n       required National Institute of Standards and Technology Special Publication 800-53,\n       Revision 3, Recommended Security Controls for Federal Information Systems and\n       Organizations controls and updating System Security Plans for the contractor-hosted\n       systems.\n\n       Management Response: The Department concurred with the recommendation, stating\n       that it \xe2\x80\x9cwill continue to conduct the normal processing reviews to ensure compliance with\n       NIST SP 800-53 rev. 3 and subsequent revisions.\xe2\x80\x9d\n\n       OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n       be closed when OIG reviews and approves documentation showing the contractor-hosted\n       systems\xe2\x80\x99 compliance with National Institute of Standards and Technology Special\n       Publication 800-53, Revision 3.\n\n       Recommendation 30. We recommend that the Chief Information Officer, in\n       coordination with the Bureau of Information Resource Management/Information\n       Assurance, continue to implement procedures to coordinate security activities for\n       tracking all extensions (that is, contractor sites and other government agencies via iPost)\n       to OpenNet and ClassNet.\n\n       Management Response: The Department did not concur with the recommendation,\n       stating that it \xe2\x80\x9casserts the current process in practice are effective, periodic review of the\n       process will be conducted and updates made when needed.\xe2\x80\x9d\n\n       OIG Analysis: OIG modified the recommendation from the draft report to \xe2\x80\x9ccontinue\xe2\x80\x9d to\n       implement procedures to coordinate security activities for tracking all extensions, since\n       the procedures were recently implemented during the audit (FY2012).\n\n       OIG considers the recommendation resolved. The recommendation can be closed when\n       OIG reviews and approves documentation showing the tracking of all OpenNet and\n       ClassNet extensions (that is, contractor sites and other government agencies via iPost).\n\nFinding N. Security Capital Planning Requires Improvement\n       Our review of the business cases and OMB Exhibits 300 for the new enterprise level IT\ninvestments (Application Services, Data Center Services/Hosting, and Deployment, Maintenance\n& Refresh) found that the IRM exhibits were not complete because the IT investments were\nnewly established Exhibits 300 this fiscal year. Specifically, we found that Investment level\n\n                                             28\n                                        UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\nAcquisition Plan, Earned Value, Integrated Program Team Charter, Investment Charter, Project\nCharters (as appropriate), and Risk Management Plan were incomplete within electronic\nCapital Planning Investment Control (eCPIC).43 However, the IRM Portfolio Management\nDivision was working with the respective Program Managers to ensure that these investments\nhad up-to-date and complete eCPIC reporting for the next submission to OMB.\n\n        OMB44 states that agencies must develop and maintain the following documents, all of\nwhich may be requested, and are subject to delivery within 10 business days: Investment Level\nAlternative Analysis, Investment Level Acquisition Plan, Earned Value Reports on large\nprojects, Integrated Program Team Charter, Investment Charter; Project Charters (as\nappropriate), and Risk Management Plan.\n\n        According to officials in the Portfolio Management Division, the newly assigned IRM\nService Line Program Manager did not have the time to gain the appropriate level of guidance,\ntraining, and understanding of the new eCPIC requirements to ensure complete Exhibits 300\nand accurate identification and reporting of the resources required to protect the information\nsystems.\n\n        Without providing proper justification for funds, IRM\xe2\x80\x99s accountability of the IT\nInfrastructure investment is not fully supported. OMB will not give the investment\xe2\x80\x99s Exhibit 300\na passing score if the Exhibits are incomplete. Failure to earn a passing score puts the\ninvestment\xe2\x80\x99s entire Exhibit 300 at risk for failing and for losing funding. These project charters\nand risk management plans are critical not only to investments\xe2\x80\x99 success but also to securing the\nfunding necessary to acquire and operate IT investments.\n\n        Recommendation 31. We recommend that the Bureau of Information Resource\n        Management senior management ensure that Information Technology Service Line\n        Program Managers obtain the appropriate level of electronic Capital Planning Investment\n        control tool training and understanding regarding their electronic Capital Planning\n        Investment Control reporting requirements and that they are held accountable for\n        completing their respective Exhibits 300, including the accurate reporting of the\n        resources required to protect their information systems, as part of the next electronic\n        Capital Planning Investment Control submission.\n\n        Management Response: The Department concurred with the recommendation, stating\n        that it was \xe2\x80\x9cidentifying training opportunities to further understand the reporting\n        requirements needed to ensure accurate reporting of Capital Planning Investment Control\n        submissions.\xe2\x80\x9d\n\n        OIG Analysis: OIG considers the recommendation resolved. This recommendation can\n        be closed when OIG reviews and approves documentation, showing that Information\n\n43\n   The Department of State\xe2\x80\x99s electronic Capital Planning Investment Control (eCPIC) portfolio management tool\nthat is used for managing IT investments.\n44\n   \xe2\x80\x9cOMB Guidance on Exhibit 300 \xe2\x80\x93 Planning, Budgeting, Acquisition, and Management of Information\nTechnology Capital Assets,\xe2\x80\x9d Aug. 2011.\n\n                                                  29\n                                             UNCLASSIFIED\n\x0c                              UNCLASSIFIED\n\nTechnology Service Line Program Managers have been trained on the electronic Capital\nPlanning Investment control tool.\n\n\n\n\n                                   30\n                              UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n                       List of Current Year Recommendations\n\nRecommendation 1. We recommend that the Information Security Steering Committee finalize\nand implement an enterprise-wide continuous monitoring and risk management framework\nstrategy that addresses framing risk, assessing risk, responding to risk, and monitoring risk.\n\nRecommendation 2. We recommend the Chief Information Officer, in coordination with the\nBureau of Diplomatic Security and the Bureau of Information Resource Management, include,\nunder its continuous monitoring program, an effective method to monitor the security posture for\nnon-Windows operating systems, databases, firewalls, routers, and switches.\n\nRecommendation 3. We recommend that the Chief Information Officer, in coordination with\nthe Bureau of Information Resource Management, Enterprise Network Management, and the\nBureau of Diplomatic Security, finalize and implement the Cyber Security Architecture draft\ntarget architecture and initiative for end-to-end configuration management.\n\nRecommendation 4. We recommend that the Chief Information Officer, in coordination with\nthe Bureau of Consular Affairs, the Bureau of Administration, the Bureau of Resource\nManagement, the Office of Medical Services, the Bureau of Overseas Buildings Operations, the\nBureau of International Narcotics and Law Enforcement Affairs, the Foreign Service Institute,\nthe Bureau of Diplomatic Security, the Bureau of International Information Program, and the\nBureau of Information Resource Management, continue to improve their processes to patch\nservers within their system boundary in a timely manner.\n\nRecommendation 5. We recommend that the Security Configuration Management Branch\ndevelop and publish the security configuration baselines for UNIX in accordance with the\nForeign Affairs Manual.\n\nRecommendation 6. We recommend that the Chief Information Officer, in coordination with\nthe Bureau of Diplomatic Security/Security Infrastructure/Office of Computer Security, research,\ndevelop, and implement capabilities (for example, scanning tools) to perform periodic network\nvulnerability and compliance scans on Oracle databases, applications, network devices (for\nexample, routers and switches), UNIX operating systems, and Demilitarized Zone servers.\n\nRecommendation 7. : We recommend that the Chief Information Officer, in coordination with\nDiplomatic Security/Security Infrastructure/Office of Computer Security, update the Foundstone\nconfiguration to include subnets and Demilitarized Zone servers that were not included in the\nFoundstone configuration for periodic scanning and obtain the administrative credentials needed\nto perform the scans and periodically perform discovery scanning to identify new components\nadded to the network.\nRecommendation 8. We recommend that the Chief Information Officer, in coordination with\nrespective System Administrators from all bureaus, take immediate action to remove or lock\naccounts that do not require a password.\n\nRecommendation 9. We recommend that the Chief Information Officer, in coordination with\nthe Bureau of Diplomatic Security, revise the Foreign Affairs Manual to provide authority to the\n                                            31\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\nChief Information Officer to review and identify accounts not used within the past 90 days and to\nde-activate such accounts and require the bureaus and posts to recertify the user account prior to\nre-activating the account.\n\nRecommendation 10. We recommend that the Chief Information Officer, in coordination with\nbureau and post Data Center Managers and System Managers, require the posts and bureaus to\nconfigure all accounts to expire passwords in accordance with the Foreign Affairs Manual (that\nis, passwords must be changed every 60 days).\n\nRecommendation 11. We recommend that the Chief Information Officer, in coordination with\nBureau of Diplomatic Security, determine whether unauthorized access was performed using the\nterminated employees\xe2\x80\x99 credentials and whether Department information had been compromised.\n\nRecommendation 12. We recommend that the Chief Information Officer, in coordination with\nInformation System Security Officers and system administrators of the Bureau of East Asian and\nPacific Affairs, the Bureau of Near Eastern Affairs, the Washington District of Columbia, and\nthe Bureau of Western Hemisphere Affairs, improve the process of disabling terminated\nemployees user accounts in a timely manner.\n\nRecommendation 13. We recommend that the Chief Information Officer, in coordination with\nthe Orientation and In-Processing Center, enforce the use of the Department of State Logon\nRequest form for new users in Afghanistan.\n\nRecommendation 14. We recommend that the Chief Information Officer, in coordination with\nInformation Resource Management/Operations Directorate/Computer Security Office/Desktop\nSupport Division, update the Information Technology Mart Standard Operating Procedures to\nreflect the updated account management procedures for new users in Afghanistan.\n\nRecommendation 15. We recommend that the Chief Information Officer, in coordination with\nOffice of the Secretary, develop and finalize exemptions/waivers to allow for the deviation from\nthe standard of setting expiration dates for Office of the Secretary user accounts in Active\nDirectory.\n\nRecommendation 16. We recommend that the Chief Information Officer, in coordination with\nOffice of the Secretary, develop and implement a process that ensures that Office of the\nSecretary users complete the required Cyber Security Awareness Training on an annual basis.\n\nRecommendation 17. We recommend that the Chief Information Office, in coordination with\nInformation Resource Management/Information Assurance, continue to review the security\nauthorization and annual assessments to ensure that Information System Owner, Information\nSystem Security Officer, and Security Control Assessor for all Federal Information Security\nManagement Act reportable systems use the published Certification & Accreditation Toolkit\ntemplates during the annual controls assessment to assess the required National Institute of\nStandards and Technology Special Publication 800-53, Revision 3, Recommended Security\nControls for Federal Information Systems and Organizations controls applicable and update the\nSystem Security Plan accordingly.\n\n\n                                            32\n                                       UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\nRecommendation 18. We recommend that the Chief Information Officer continue to track the\nprogress of the full authorization of the OpenNet general support system.\n\nRecommendation 19. We recommend that the Chief Information Officer, in coordination with\nInformation Resource Management/Information Assurance and Office of Computer Security\n(Diplomatic Security/Systems Integrity/Civil Service), update the Information Assurance\nTraining Plan to require newly hired and current employees and contractors who are in positions\nthat are responsible for the security of the organization\xe2\x80\x99s information and information systems\ncomplete role-based security-related training before authorizing access to the system or\nperforming assigned duties and periodically thereafter (for example, annually).\n\nRecommendation 20. We recommend that the Chief Information Officer, in coordination with\nInformation Resource Management/Information Assurance and all bureaus, develop and\nimplement monitoring processes and procedures to ensure that personnel with significant\nsecurity responsibilities receive the appropriate training in accordance with the Information\nAssurance Training Plan.\n\nRecommendation 21. We recommend that the Chief Information Officer, in coordination with\nthe Bureau of Consular Affairs, the Bureau of Information Resource Management, the Bureau of\nHuman Resources, the Office of Medical Services, the Bureau of Arms Control, Verification and\nCompliance, the Office of the Secretary, and the Bureau of Overseas Buildings Operations\nBureau Executive Director or Information System Owner, their equivalent, or a designee, ensure\nthat responses are provided for the Quarterly Plan of Action & Milestones Grade Memorandums\nto address how the bureaus and offices plan to close out the outstanding plan of action and\nmilestones, that the plan of action and milestones completion dates for corrective actions that\nexpired are updated and the resources required for remediation are updated, that remediation\nactions undertaken for plan of action and milestones are verified in a timely manner, and that\nrequired fields within the plan of action and milestones are included (for example, resources).\n\nRecommendation 22. We recommend that the Chief Information Officer, in coordination with\nthe Bureau of Diplomatic Security, update the Foreign Affairs Manual, 12 FAM 680, to reflect\nthe current process of granting administrators the capabilities for remote administration (for\nexample, allowing exception waivers for remote access administration).\n\nRecommendation 23. We recommend that the Chief Information Officer, in coordination with\nall bureaus and respective Executive Directors, improve their process for submitting service\nrequests to the Information Technology Service Center for key fobs/tokens for new employees.\n\nRecommendation 24. We recommend that the Chief Information Officer, in coordination with\nthe Bureau of Diplomatic Security, update the Foreign Affairs Manual to provide guidance and\ndirection for Continuity of Operations Plan development and implementation.\n\nRecommendation 25. We recommend that the Chief Information Officer, in coordination with\nthe Bureau of Information Resource Management/Information Assurance, perform an entity-\nwide Business Impact Analysis and develop a strategy to prioritize recovery of the critical assets\nwithin the Department and align the Business Impact Analysis of the primary mission-critical\n\n                                             33\n                                        UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\nfunctions with Information Resource Management\xe2\x80\x99s Maximum Tolerable Downtime for the\nnetwork.\n\nRecommendation 26. We recommend that the Chief Information Officer, in coordination with\nthe Bureau of Information Resource Management/Information Assurance, develop a Continuity\nof Operations Plan for communications and the infrastructure at the Department level (entity)\nthat complies with National Institute of Standards and Technology Special Publication 800-34,\nRevision 1, Contingency Planning Guide for Federal Information Systems, and includes the\nstandard elements of a Continuity of Operations Plan.\n\nRecommendation 27. We recommend that the Chief Information Officer, in coordination with\nbureaus and the Information System Owners, document and maintain alternate site locations and\nprocedures for accessing the alternate site and perform annual contingency plan tests and update\ncontingency plans with test results as necessary.\n\nRecommendation 28. We recommend that the Chief Information Officer, in coordination with\nthe Bureau of Diplomatic Security, continue to ensure that annual physical inspections are\ncompleted for all OpenNet and ClassNet extensions.\n\nRecommendation 29. We recommend that the Chief Information Officer, in coordination with\nthe Bureau of Information Resource Management/Information Assurance, continue to review\nSystem Security Assessment packages, annual controls assessments, and contingency plans tests\nto ensure that bureaus are implementing the required National Institute of Standards and\nTechnology Special Publication 800-53, Revision 3, Recommended Security Controls for\nFederal Information Systems and Organizations controls and updating System Security Plans for\nthe contractor-hosted systems.\n\nRecommendation 30. We recommend that the Chief Information Officer, in coordination with\nthe Bureau of Information Resource Management/Information Assurance, continue to implement\nprocedures to coordinate security activities for tracking all extensions (that is, contractor sites\nand other government agencies via iPost) to OpenNet and ClassNet.\nRecommendation 31. We recommend that the Bureau of Information Resource Management\nsenior management ensure that Information Technology Service Line Program Managers obtain\nthe appropriate level of electronic Capital Planning Investment control tool training and\nunderstanding regarding their electronic Capital Planning Investment Control reporting\nrequirements and that they are held accountable for completing their respective Exhibits 300,\nincluding the accurate reporting of the resources required to protect their information systems, as\npart of the next electronic Capital Planning Investment Control submission.\n\n\n\n\n                                             34\n                                        UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n                                                                                              Appendix A\n\n                                   A. Scope and Methodology\n\n       In order to fulfill its responsibilities related to the Federal Information Security\nManagement Act (FISMA), the Office of Inspector General (OIG), Office of Audits, contracted\nwith Williams, Adley & Company-DC, LLP (referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this appendix), an\nindependent public accountant, to evaluate the Department of State\xe2\x80\x99s information security\nprogram and practices to determine the effectiveness of such programs and practices for FY\n2012. The OIG and Williams, Adley & Company-DC, LLP, held an exit conference with\nmanagement on November 15, 2012.\n\n        FISMA requires each Federal agency to develop, document, and implement an agency-\nwide program to provide information security for the information systems that support the\noperations and assets of the agency, including those provided or managed by another agency or\ncontractor or another source. To ensure the adequacy and effectiveness of these controls,\nFISMA requires the agency inspector general or an independent external auditor to perform\nannual reviews of the information security program and to report those results to the Office of\nManagement and Budget (OMB) and the Department of Homeland Security (DHS). DHS uses\nthis data to assist in oversight responsibilities and to prepare its annual report to Congress\nregarding agency compliance with FISMA.\n\n        We performed the audit in accordance with Generally Accepted Government Auditing\nStandards (GAGAS), FISMA, OMB, and National Institute of Standards and Technology (NIST)\nSpecial Publications (SP) guidance. GAGAS requires that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our evaluation objectives. We believe that the evidence obtained provides\na reasonable basis for our findings and conclusions based on our audit objective.\n\n        Our fieldwork was completed before OMB Memorandum M-12-20, \xe2\x80\x9cFY 2012 Reporting\nInstructions for the Federal Information Security Management Act and Agency Privacy\nManagement,\xe2\x80\x9d October 2, 2012, was issued. This memorandum provided instructions for FY\n2012 reporting requirements. We reviewed the memorandum and evaluated its impact on our\nresults but determined that no changes were required to be made.\n\n       We used the following laws, regulations, and policies to evaluate the adequacy of the\ncontrols in place at the Department:\n\n        \xef\x82\xb7   OMB Memorandums M-02-01, M-04-04, M-06-19, and M-12-20.1\n        \xef\x82\xb7   DHS Federal Information Security Memorandum (FISM) 12-02.2\n1\n  OMB Memorandum 02-01, \xe2\x80\x9cGuidance for Preparing and Submitting Security Plans of Action and Milestones\xe2\x80\x9d;\nOMB Memorandum 04-04, \xe2\x80\x9cE-Authentication Guidance for Federal Agencies\xe2\x80\x9d; OMB Memorandum 06-19,\n\xe2\x80\x9cReporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in\nAgency Information Technology Investments\xe2\x80\x9d; OMB Memorandum M-12-20, \xe2\x80\x9cFY 2012 Reporting Instructions for\nthe Federal Information Security Management Act and Agency Privacy Management,\xe2\x80\x9d respectively.\n2\n  DHS Memorandum 12-02, \xe2\x80\x9cFY 2012 Reporting Instructions for the Federal Information Security Management Act\nand Agency Privacy Management,\xe2\x80\x9d Feb. 15, 2012.\n                                                 35\n                                            UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\n        \xef\x82\xb7   Department policies and procedures such as the Foreign Affairs Manual (5 FAM and\n            12 FAM).3\n        \xef\x82\xb7   Federal laws, regulations, and standards such as FISMA, OMB Circular A-130,\n            Appendix III,4 and OMB Circular No. A-11.5\n        \xef\x82\xb7   NIST Special Publications (SP), Federal Information Processing Standards, other\n            applicable NIST publications, and industry best practices.\n\n      In our audit, we assessed the Department\xe2\x80\x99s information security program policies,\nprocedures, and processes in the following areas:\n\n        \xef\x82\xb7   Continuous monitoring\n        \xef\x82\xb7   Security configuration management\n        \xef\x82\xb7   Account and identity management\n        \xef\x82\xb7   Incident response and reporting\n        \xef\x82\xb7   Risk management framework (formerly Certification & Accreditation)\n        \xef\x82\xb7   Security training\n        \xef\x82\xb7   Plan of action and milestones (POA&M)\n        \xef\x82\xb7   Remote access\n        \xef\x82\xb7   Contingency planning\n        \xef\x82\xb7   Oversight of contractor systems\n        \xef\x82\xb7   Security capital planning\n\n       The audit covered the period of October 1, 2011, to September 30, 2012. During the\nfieldwork, we took the following actions:\n\n    \xef\x82\xb7   Determined the extent to which the Department\xe2\x80\x99s information security plans,\n        programs, and practices complied with FISMA requirements; applicable Federal laws,\n        regulations, and standards; relevant OMB Circular A-130, Appendix III, processes\n        and reporting requirements; and NIST and Federal Information Processing Standards\n        requirements.\n\n    \xef\x82\xb7   Reviewed all relevant security programs and practices to report on the effectiveness of\n        the Department\xe2\x80\x99s agency-wide information security program in accordance with OMB\xe2\x80\x99s\n        annual FISMA reporting instructions. The audit approach addressed the reporting\n        instructions from OMB Memorandum M-12-20.\n\n    \xef\x82\xb7   Assessed programs for monitoring of security policy and program compliance and\n        responding to security events (that is, unauthorized changes detected by intrusion\n        detection systems).\n\n    \xef\x82\xb7   Performed testing of major systems at the discretion of OIG. We tested 26 systems\n        for our sample. (See Appendix E).\n\n3\n  5 FAM, \xe2\x80\x9cInformation Management\xe2\x80\x9d and 12 FAM, \xe2\x80\x9cDiplomatic Security.\xe2\x80\x9d\n4\n  OMB Circular No. A-130 Revised Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources.\xe2\x80\x9d\n5\n  OMB Circular No. A\xe2\x80\x9311, \xe2\x80\x9cPreparation, Submission, and Execution of the Budget.\xe2\x80\x9d\n                                                 36\n                                            UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n   \xef\x82\xb7   Assessed the adequacy of internal controls related to the areas reviewed. Control\n       deficiencies identified during the review are reported in the report.\n\n   \xef\x82\xb7   Evaluated the Department\xe2\x80\x99s remedial action taken to address the previously reported\n       Information Security Program control weaknesses identified in OIG\xe2\x80\x99s report Evaluation\n       of Department of State Information Security Program (AUD/IT-12-14, Nov. 2011).\n\nReview of Internal Controls\n\n       We reviewed the Department\xe2\x80\x99s internal controls to determine whether:\n\n   \xef\x82\xb7   The Department had established an enterprise wide continuous monitoring program that\n       assesses the security state of information systems that is consistent with FISMA\n       requirements, OMB policy, and applicable NIST guidelines.\n\n   \xef\x82\xb7   The Department had established and was maintaining a security configuration\n       management program that was consistent with FISMA requirements, OMB policy, and\n       applicable NIST guidelines.\n\n   \xef\x82\xb7   The Department had established and was maintaining an account and identity\n       management program that was generally consistent with NIST\'s and OMB\'s FISMA\n       requirements and identifies users and network devices.\n\n   \xef\x82\xb7   The Department had established and was maintaining an incident response and reporting\n       program that was consistent with FISMA requirements, OMB policy, and applicable\n       NIST guidelines.\n\n   \xef\x82\xb7   The Department had established a risk management program that was consistent with\n       FISMA requirements, OMB policy, and applicable NIST guidelines.\n\n   \xef\x82\xb7   The Department had established and was maintaining a security training program that\n       was consistent with FISMA requirements, OMB policy, and applicable NIST guidelines.\n\n   \xef\x82\xb7   The Department had established a POA&M program that was consistent with FISMA\n       requirements, OMB policy, and applicable NIST guidelines and that tracked and\n       monitored known information security weaknesses.\n\n   \xef\x82\xb7   The Department had established and was maintaining a remote access program that was\n       generally consistent with NIST and OMB FISMA requirements.\n\n   \xef\x82\xb7   The Department had established and was maintaining an entity-wide business\n       continuity/disaster recovery program that was generally consistent with NIST\'s and\n       OMBFISMA requirements.\n\n   \xef\x82\xb7   The Department had established a program to oversee systems operated on its behalf by\n       contractors or other entities, including organization systems and services residing in the\n       cloud external to the organization.\n                                            37\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n   \xef\x82\xb7   The Department had established and maintained a capital planning and investment\n       program for information security.\n\nUse of Computer-Processed Data\n\n        During the audit, we utilized computer-processed data to obtain samples and information\nregarding the existence of information security controls. Specifically, we obtained data extracted\nfrom Microsoft\xe2\x80\x99s Active Directory and the Department\xe2\x80\x99s human resources system to test user\naccount management controls. We also reviewed data generated by software tools to determine\nthe existence of security weaknesses that were identified during vulnerability assessments. We\nassessed the reliability of computer-generated data primarily by comparing selected data with\nsource documents. We determined that the information was reliable for assessing the adequacy\nof related information security controls.\n\n\n\n\n                                            38\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n                                                                                     Appendix B\n\n     B. Follow-up of Recommendations From the FY 2011 FISMA Report\n        The audit team reviewed actions implemented by management to mitigate the findings\nidentified in the FY 2011 FISMA report. The current status of each of the recommendations is\nas follows:\n\nRecommendation 1. We recommend that the Information Security Steering Committee (ISSC)\nmeet on a monthly basis to fulfill its purpose and responsibilities as required in ISSC charter.\n\n2012 Status: Closed. As of March 2012, management updated the ISSC Charter to require the\nISSC to meet only on an adhoc basis.\n\nRecommendation 2. We recommend that the Information Security Steering Committee\nimprove its risk management strategy at the organizational level for assessing, responding to, and\nmonitoring information security risk as required in the Foreign Affairs Manual and the National\nInstitute of Standards and Technology Special Publication 800-39.\n\n2012 Status: Closed. This is a repeat recommendation from the FY 2011 report. It has become\nRecommendation 1 (Finding A) in the FY 2012 report.\n\nRecommendation 3. We recommend that the Chief Information Officer:\n\n       \xef\x82\xb7   Improve oversight of the security assessment and authorization process for the\n           Department\xe2\x80\x99s information systems, especially the OpenNet General Support System\n           (GSS) and ClassNet GSS as required by the National Institute of Standards and\n           Technology (NIST) (SP) 800-37.\n       \xef\x82\xb7   Improve existing procedures to ensure security authorization packages are updated\n           every 3 years or when a significant change occurs or develop a risk-based approach\n           for implementing a continuous monitoring strategy as required by NIST SP 800-37.\n       \xef\x82\xb7   Improve existing procedures to ensure Systems Security Plans and Systems\n           Assessment Reports are updated as required to comply with the security baseline\n           controls contained in NIST SP 800-53 (Revision 3).\n       \xef\x82\xb7   Perform annual security assessments of a subset of a system\xe2\x80\x99s security controls as\n           required by NIST SP 800-37.\n\n2012 Status: Closed. This is a repeat recommendation from the FY 2011 report. It has become\nRecommendations 17 and 18 (Finding G) in the FY 2012 report.\n\nRecommendation 4. We recommend that the Chief Information Officer expedite the\nInformation Resource Management, Operations, Enterprise Network Management and\nDiplomatic Security, Security Infrastructure, Office of Computer Security process to finalize and\nimplement the elements within the Cyber Security Architecture draft target architecture and\ninitiative for end-to\xe2\x80\x93end configuration management and take immediate action to correct or\nmitigate the high risk vulnerabilities identified by the vulnerability scanning as required by the\nForeign Affairs Manual and Diplomatic Security System Configuration Policy and Procedures.\n                                                  39\n                                          UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n2012 Status: Closed. This is a repeat recommendation from the FY 2011 report. It has become\nRecommendations 3 and 4 (Finding B) in the FY 2012 report.\n\nRecommendation 5. We recommend that the Chief Information Officer and the Bureau of\nDiplomatic Security ensure, for significant security responsibility (SSR) training, that personnel\ndesignated as having SSR responsibilities receive the appropriate training as required by the\nInformation Assurance Training Plan.\n\n2012 Status: Closed. This is a repeat recommendation from the FY 2011 report. It has become\nRecommendation 20 (Finding H) in the FY 2012 report.\n\nRecommendation 6. We recommend that the Chief Information Officer implement, for Security\nAwareness Training, automated methods to replace the current manual process to track and\nenforce the Department of State security awareness policy and to suspend a user\xe2\x80\x99s access to the\nnetwork if the user has not taken the Cyber Security Awareness course within the required\ntimeframe as required by the Information Assurance Training Plan.\n\n2012 Status: Closed. As of March 2012, the Cybersecurity Tracking system updates the user\xe2\x80\x99s\nActive Directory account expiration date immediately after the student completes the Cyber\nSecurity Awareness (PS800) training. This Active Directory update extends the user\xe2\x80\x99s account\nexpiration date by 368 days. If the user fails to retake the test in 368 days, the user\xe2\x80\x99s account\nexpires and the user cannot access the system without manual intervention by an administrator.\n\nRecommendation 7. We recommend that the Chief Information Officer:\n     \xef\x82\xb7 Implement a Plans of Action and Milestones (POA&M) tracking process for all\n        ClassNet security weaknesses as required by Committee on National Security\n        Systems Policy Number 22, Information Assurance Risk Management Policy for\n        National Security Systems.\n     \xef\x82\xb7 Distribute the quarterly POA&M Grade Memorandums to the bureaus\xe2\x80\x99 and offices\xe2\x80\x99\n        senior management (executive director) as required by M-04-25, FY 2004 Reporting\n        Instructions for the Federal Information Security Management Act.\n     \xef\x82\xb7 Ensure that the POA&M completion dates and the required resources for OpenNet\n        corrective actions are updated as required by OMB Memorandum M-04-25.\n\n2012 Status: Closed. This is a repeat recommendation from the FY 2011 report. It has become\nRecommendation 21 (Finding I) in the FY 2012 report.\n\nRecommendation 8. We recommend that the Chief Information Officer (CIO) develop and\nimplement Department of State processes and procedures to resolve weaknesses in user accounts\nto ensure that unnecessary network user accounts are promptly removed by the bureaus and\nposts. Further, the CIO should develop and implement procedures to ensure that bureaus and\norganizational unit administrators annually review and recertify access privileges of users so that\nthe number of guest, test, and temporary accounts are managed effectively as required by the\nForeign Affairs Manual 12 FAM 622 and 12 FAM 629.\n\n2012 Status: Closed. This is a repeat recommendation from the FY 2011 report. It has become\nRecommendations 8 \xe2\x80\x93 10 (Finding E) in the FY 2012 report.\n                                             40\n                                       UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\nRecommendation 9. We recommend that the Chief Information Officer (CIO) ensure\ncompliance with the account management process to make certain that user and administrator\naccounts are created, modified, and deleted in a manner consistent with Department of State\npolicy. Further, the CIO needs to compare the terminated user listings provided by bureau and\npost personnel officers with information contained in the active directory on a quarterly basis to\nensure that accounts for separated employees are removed timely, as required by NIST SP 800-\n53, Revision 3, August 2009, Recommended Security Controls for Federal Information Systems\nand Organizations, and the Foreign Affairs Manual (12 FAM 621.3).\n\n2012 Status: Closed. This is a repeat recommendation from the FY 2011 report. It has become\nRecommendations 11 \xe2\x80\x93 15 (Finding F) in the FY 2012 report.\n\nRecommendation 10. We recommend that the Information Security Steering Committee\ndevelop, document, and implement an enterprise-wide continuous monitoring strategy that\naddresses framing risk, assessing risk, responding to risk, and monitoring risk, as required by\nNIST SP 800-39, Managing Information Security Risk.\n\n2012 Status: Closed. This is a repeat recommendation from the FY 2011 report. It has become\nRecommendation 1 (Finding A) in the FY 2012 report.\n\nRecommendation 11. We recommend that the Chief Information Officer in accordance with the\nrequirements in NIST SP 800-39, Managing Information Security Risk:\n\n       \xef\x82\xb7   Implement a continuous monitoring strategy at the enterprise-wide level.\n\n       \xef\x82\xb7   Obtain and use scanning software to enable effective scans of non-Windows\n           operating systems, databases, firewalls, routers, and switches.\n\n       \xef\x82\xb7   Develop operating procedures to ensure the results are included in the Risk Scoring\n           Program dashboard.\n\n       \xef\x82\xb7   Develop procedures to ensure that System Security Owners update the system\n           security plans to include a continuous monitoring strategy to detail how system\n           security controls is to be monitored.\n\n2012 Status: Closed. This is a repeat recommendation from the FY 2011 report. It has become\nRecommendations 6 and 7 (Finding D) in the FY 2012 report.\n\nRecommendation 12. We recommend that the Chief Information Officer, as required by NIST\nSP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems, take the\nfollowing actions:\n\n       \xef\x82\xb7   Update the Continuity of Operations Communication Plan annually or when changes\n           occur to the organization, network hardware, systems, and applications and, if\n           necessary, after Continuity Testing.\n\n\n                                             41\n                                        UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\n       \xef\x82\xb7   Perform an entity-wide Business Impact Analysis and develop a strategy to prioritize\n           recovery of the critical assets within the Department of State.\n\n       \xef\x82\xb7   Update the section of the Foreign Affairs Manual that contains guidance and direction\n           for development and implementation of Continuity of Operations Communication\n           Plan.\n\n2012 Status: Closed. This is a repeat recommendation from the FY 2011 report. It has become\nRecommendations 24 \xe2\x80\x93 26 (Finding K) in the FY 2012 report.\n\nRecommendation 13. We recommend that the Bureau of Administration, Office of Emergency\nManagement, in coordination with the Chief Information Officer, align the Business Impact\nAnalysis of the Primary Mission Essential Functions with the Bureau of Information Resource\nManagement\xe2\x80\x99s Maximum Tolerable Downtime for the network as required by NIST SP 800-34,\nRevision 1, Contingency Planning Guide for Federal Information Systems.\n\n2012 Status: Closed. This is a repeat recommendation from the FY 2011 report. It has become\nRecommendation 25 (Finding K) in the FY 2012 report.\n\nRecommendation 14. As required by National Institute of Standards and Technology (NIST)\nSpecial Publications (SP) 800-34, Revision 1, Contingency Planning Guide for Federal\nInformation Systems, and SP 800-53, Revision 3, Recommended Security Controls for Federal\nInformation Systems and Organizations, we recommend that the Bureau of Information Resource\nManagement, Office of Information Assurance, in coordination with the bureaus and system\nowners, take the following actions:\n\n       \xef\x82\xb7   Document and maintain alternate site locations and procedures for accessing an\n           alternate site.\n\n       \xef\x82\xb7   Develop and maintain contingency plans for all major applications and general\n           support systems.\n\n       \xef\x82\xb7   Maintain and update recovery and restoration procedures for all applications and\n           general support systems.\n\n2012 Status: Closed. This is a repeat recommendation from the FY 2011 report. It has become\nRecommendation 27 (Finding L) in the FY 2012 report.\n\nRecommendation 15. As required by National Institute of Standards and Technology (NIST)\nSpecial Publications (SP) 800-34, Revision 1, Contingency Planning Guide for Federal\nInformation Systems and SP 800-53, Revision 3, Recommended Security Controls for Federal\nInformation Systems and Organizations, we recommend that the Chief Information Officer:\n\n       \xef\x82\xb7   Revise the Information Resource Management/ Information Assurance Contingency\n           Plan Test Review checklist to address the following items:\n\n\n                                           42\n                                      UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n                  o Recovery and damage assessment procedures\n\n                  o Alternate recovery site details\n\n                  o Back-up procedures\n\n                  o Back-up test results for moderate- and high-impact systems\n\n       \xef\x82\xb7   Revise the Contingency Plan Policy to include an organization-defined frequency for\n           backup testing.\n\n       \xef\x82\xb7   Revise the Foreign Affairs Manual to require system owners to report to IRM/IA on\n           the test results and updates to the contingency plans.\n\n2012 Status: Closed. As of March 2012, the Information Resource Management/ Information\nAssurance (IRM/IA) Contingency Plan Test Review checklist had been updated, the Contingency\nPlan Policy now includes an organization-defined frequency for backup testing, and the Foreign\nAffairs Manual requires system owners to report to IRM/IA on the test results and updates to the\ncontingency plans.\n\nRecommendation 16. We recommend that the Chief Information Officer in accordance with the\nForeign Affairs Manual (5 FAM 1065.3) and the National Institute of Standards and Technology\nSpecial Publication 800-47, Security Guide for Interconnecting Information Technology Systems,\ntake the following actions:\n\n       \xef\x82\xb7   Ensure that the contractor oversight program complies with Office of Management\n           and Budget, Federal Information Security Management Act, National Institute of\n           Standards and Technology, and the Foreign Affairs Manual security policies,\n           standards, and requirements for managing Contractor Owned Contractor Operated\n           (COCO) systems; specifically, all security-related documentation for such systems\n           should be retained.\n\n       \xef\x82\xb7   Implement a COCO system security program whereby COCOs are overseen by the\n           Bureau of Information Resource Management/ Information Assurance.\n\n2012 Status: Closed. This is a repeat recommendation from the FY 2011 report. It has become\nRecommendations 28- 30 (Finding M) in the FY 2012 report.\n\nRecommendation 17. We recommend that the Bureau of Diplomatic Security develop and\nimplement new and enhanced security requirements to coordinate security activities for tracking\nall extensions (that is, contractor sites, other Government agencies, and third-party vendors) to\nOpenNet and ClassNet as required by the Office of Management and Budget Memorandum M-\n11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act\nand Agency Privacy Management.\n\n2012 Status: Closed. This is a repeat recommendation from the FY 2011 report. It has become\nRecommendation 30 (Finding M) in the FY 2012 report.\n                                            43\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\nRecommendation 18. We recommend that the Bureau of Diplomatic Security, in coordination\nwith the Bureau of Administration, establish procedures to identify the total number of\ncontractors who have access to Department of State systems, as required by the Office of\nManagement and Budget Memorandum M-11-33, FY 2011 Reporting Instructions for the\nFederal Information Security Management Act and Agency Privacy Management.\n\n2012 Status: Closed. Domestically, the number of contractors can be tracked through\nCentralized Emergency Notification System via the Data Capturing and Feeding (DCAF) system.\nFor overseas contractors, Post Profiles can display the count of contractors as collected via\nWebPass.\n\nRecommendation 19. We recommend that the Chief Information Officer, as required by Office\nof Management and Budget (OMB) Memorandum M-11-33, FY 2011 Reporting Instructions for\nthe Federal Information Security Management Act and Agency Privacy Management, and OMB\nCircular No. A\xe2\x80\x9311, Preparation, Submission, and Execution of the Budget:\n\n       \xef\x82\xb7   Ensure that the Bureau of Information Resource Management/ Business Management\n           and Planning track all obligations and expenditures for information technology\n           security investments.\n\n       \xef\x82\xb7   Provide a summary of non-major investments that make up the information\n           technology-Infrastructure and other major investments.\n\n       \xef\x82\xb7   Include the Unique Project Identifier in the Department of State\xe2\x80\x99s Plans of Action and\n           Milestones database.\n\n2012 Status: Closed. As of August 2012, Unique Project Identifiers have been included in the\nDepartment of State\xe2\x80\x99s Plans of Action and Milestones database.\n\n\n\n\n                                            44\n                                       UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n                                                                                Appendix C\n\n   C.End-to-End Configuration Management Process Needs Improvement\n       Although the Department of State was taking actions to address the prior year noted\nweaknesses with the configuration management controls, the weaknesses within configuration\nmanagement process still exist. During the independent vulnerability scanning analysis\nperformed, we identified the following issues as shown in Tables 1 and 2.\n\n                    Table 1. Systems Without Critical Patches Installed\n\n                                                          Total Number\n                    No.    System Name Classification      of Patch and\n                                                          Hot Fix Issues\n                    1      NIV            Unclassified                 7\n                    2      ASTORM         Unclassified                 0\n                    3      ARS            Unclassified               157\n                    4      CADSS          Unclassified                32\n                    5      CRMSS          Unclassified                19\n                    6      MCI            Unclassified                21\n                    7      BMIS           Unclassified                 0\n                     8     LFMS           Unclassified                27\n                     9     STMS           Unclassified                15\n                    10     TOMIS          Unclassified               173\n                    11     CRTS           Unclassified                13\n                    12     IIP_PMOS       Unclassified                33\n                    13     OPENNET        Unclassified                25\n                    14     GO             Unclassified               242\n                    15     Remedy 7.0     Unclassified               287\n\n                   Total                                            1,051\n\n                  System Name        Third Party Patch Issues\n                   (Number of\n                     Servers\n                    Affected)\n                 ARS (6/10)    Oracle Java Critical Patch missing\n                 BMIS (2/4)\n                 STMS (1/3)\n                 OPENNET(1/46)\n                 GO (1/76)\n                 Remedy (3/44)\n                 CADSS(2/4)    Adobe Flash Player Multiple\n                 GO (13/76)    Vulnerabilities\n\n                                          45\n                                     UNCLASSIFIED\n\x0c                              UNCLASSIFIED\n\n\n             Table 2. Systems Configured To Allow Unauthorized Users\n\nSystem (Number\n   of servers              Risk                        Description\n    affected)\nNIV(1/4)          Apache web server               Apache httpd Ranges Header\nCRTS(1/12)        vulnerable to Denial of          Field Memory Exhaustion\n                  Service Attack                             (DoS)\nCADSS (2/4)       Confidentiality and Integrity   Web Server Supports Weak\nCRMS (1/3)        can be violated.                SSL Encryption Certificates\nMCI (1/2)                                            and SSL V2 protocol\nSTMS (2/3)\nTOMIS (2/14)\nCRTS (2/12)\nOPENNET (2/46)\nRemedy (1/44)\nARS (1/10)\nCRMS (1/3)        Unauthorized access             Administrator Users Password\nMCI (2/2)                                               Never Expires\nBMIS (1/4)\nLFMS (3/3)\nSTMS(2/3)\nCRTS(1/12)\nGO(11/76)\nRemedy (5/44)\nARS(1/10)\nMCI (2/2)         Buffer Overflow                 IBM Tivoli Storage Manager\nBMIS(3/4)                                           Client JBB Functionality\nGO(1/76)                                           Buffer Overflow Privileges\nRemedy (8/44)                                               Escalation\nSTMS(2/3)         Access Bypass                     HP System Management\nIIP_PMOS (3/14)                                       Homepage Multiple\nOPENNET(10/46)                                           Vulnerabilities\nGO(16/76)\nRemedy (4/44)\nTOMIS (3/14)      Confidentiality and Integrity     Oracle Application Server\n                  can be violated.                   multiple Vulnerabilities\nTOMIS(3/14)       Confidentiality and Integrity      Tomcat Example Web\nRemedy (1/44)     can be violated.                  Application Vulnerable to\n                                                   Cross-Site Scripting attack.\nCRTS(4/12)        Denial of Service Attack          Symantec Veritas Backup\n                                                  Exec for Windows RPC Heap\n                                                            Overflow\nCRTS(2/12)        Denial of Service Attack        IBM HTTP Server vulnerable\n                                                      to Denial Of Service\n\n                                   46\n                              UNCLASSIFIED\n\x0c                             UNCLASSIFIED\n\n\nSystem (Number\n   of servers             Risk                       Description\n    affected)\nCRTS (2/12)      Privilege escalation             Oracle Database multiple\n                                                       vulnerabilities\nIIP-PMOS(1/14)   Denial of Service Attack         IBM Lotus Notes Buffer\n                                                         Overflow\nGO(4/76)         Access bypass and Denial of      Citrix XenApp multiple\n                 Service attack                        vulnerabilities\nRemedy (1/44)    Denial of Service attack        MySQL Access Validation\n                                                     Denial Of Service\n                                                        Vulnerability\nRemedy (1/44)    Confidentiality and Integrity   SAP Crystal Reports Server\n                 can be violated.                 Multiple Vulnerabilities\n\n\n\n\n                                  47\n                             UNCLASSIFIED\n\x0c                                          UNCLASSIFIED\n\n\n                                                                                            Appendix D\n\n                 D. Weak Active Directory User Account Management\n       The Department of State needs to improve account management procedures and\nprocesses in Active Directory (AD) for OpenNet and ClassNet. In FY 2011, the Office of\nInspector General reported deficiencies in account management. Although the Chief Information\nOfficer is taking action, the audit identified deficiencies with account management controls\ncovering Active Directory.\n\n       Table 1 lists stale user accounts, user accounts that were never logged on, and accounts\nwith passwords that never expire and are not required.\n\n                    Table 1. Count of Weak Active Directory User Account\n\n           AD Tab        Count of Stale       Count of User           Count of             Count of\n                         User Account         Account that         Passwords not          Passwords\n                                              Never Logged        required (All AD       Never Expire\n                                                  On                 accounts)             (All AD\n                                                                                          accounts)\n   AF                                 909                521                  2,123                 11\n   Apps                                10                     6                      1            121\n   CA                                  68                 75                  1,917                30\n   ConUS                               40                 23                     82                 3\n   DS                                 278                 95                   925                 37\n   EAP                                858                675                  2,424                21\n   EUR                                943              1,150                  4,152                20\n   GFS                                    6                   3                      1              0\n   NEASA                             1,112               773                  2,224                71\n   OIG                                 12                 28                   103                 12\n   SES                                144                     6                248                 60\n   State                                  1                   7                      0              6\n   WashDC                             705              1,742                  2,045               106\n   WHA                               1,183               613                  3,090                31\n   Grand Total                       6,269             5,717                 19,335               529\n\n\n   Total User Accounts      116,821\n   Total Service\n   Accounts                  4,552\n   Total Shared\n   Mailbox Accts              329\n\n\n\n\n                                               48\n                                          UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n                                                                                      Appendix E\n\nE.Sample Selection of Information Systems Listed in Information Technology\n    Asset Baseline Used for FY 2012 Audit \xe2\x80\x93 Vulnerability Assessment\n        The sample selection described in the title of this appendix is shown as follows:\n\n          Name                Acronym          Bureau           Classification      Categorization\n\nFreedom of Information        FREEDOMS           A                Classified            M|L|L\nDocument Management\nSystem\nState Archiving System 2       SAS2              A                Classified            M|M|L\nA Bureau Metastorm            ASTORM             A               Unclassified          Moderate\nConsular Affairs Rational      CRTS             CA               Unclassified          Moderate\nTool Set\nAction Request System           ARS             CA               Unclassified          Moderate\nConsular Affairs Domestic      CADSS            CA               Unclassified          Moderate\nSupport Suite\nConsular Affairs ClassNet      CACLI            CA                Classified                High\nWebsite\nNon-Immigrant Visa System        NIV            CA               Unclassified          Moderate\nelectronic SAO Portal            eSP            CA                Classified           M|M|M\nTechnical Security              TSCM            DS                Classified           M|M|M\nCountermeasures\nCounterintelligence             CINA             DS               Classified            M|H|H\nNetwork Application\nThe Office of Foreign          TOMIS             DS              Unclassified               High\nMissions Information\nSystem\nStudent Training                STMS            FSI              Unclassified          Moderate\nManagement System\nIIP Program Management        IIP-PMOS           IIP             Unclassified          Moderate\nand Outreach System\nLocal Financial                 LFMS            INL              Unclassified          Moderate\nManagement System\nBMC Remedy IT Service         Remedy 7.0        IRM              Unclassified          Moderate\nManagement Suite\nClassNet Public Key             CPKI            IRM               Classified                High\nInfrastructure\nGlobal OpenNet                  GO              IRM              Unclassified          Moderate\nOpenNet Plus Transport        OPENNET           IRM              Unclassified          Moderate\nGSS\nClassNet                         CN             IRM               Classified           M|M|M\nMedical Capabilities             MCI            MED              Unclassified          Moderate\nInformation database\nBuildings Management            BMIS            OBO              Unclassified          Moderate\nIntegrated System\nCentral Resource                CRMS            RM               Unclassified          Moderate\nManagement System\nConsolidated Reconciliation      CRS            RM               Unclassified          Moderate\n\n                                                49\n                                           UNCLASSIFIED\n\x0c                                                      UNCLASSIFIED\n\nSystem\nSecretariat Telegram                  STEPS II                    S                       Classified                    M|H|H\nProcessing System (Second\nEdition)\nSecretariat Tracking and               STARS                      S                       Classified                    M|H|M\nRetrieval System\n\n\n                                                                 Legend\n                                                              Bureaus\n\n       A \xe2\x80\x93 Bureau of Administration                         INL-Bureau of International Narcotics and Law Enforcement Affairs\n                                                            (INL)\n       CA \xe2\x80\x93 Bureau of Consular Affairs                      IRM- Bureau of Information Resource Management\n       DS \xe2\x80\x93 Bureau of Diplomatic Security                   MED \xe2\x80\x93 Office of Medical Services\n       FSI - Foreign Service Institute                      OBO- Bureau of Overseas Building Operations\n       IIP \xe2\x80\x93 Office of International Information Programs   RM- Bureau of Resource Management\n       S- Office of the Secretary\n\n\n\n\n                                                           50\n                                                      UNCLASSIFIED\n\x0c                                                  UNCLASSIFIED\n\n\n                                                                                                                  Appendix F\n\n             F. Missing NIST SP 800-53, Revision 3, Baseline Security Controls\n      Name               Acronym         Bureau        Classification            FIPS                     NIST 800-53 rev 3\n                                                                             Categorization\nElectronic Passport          2DB          CA            Unclassified                Moderate         AC-22; AU-12; CM-9; IA-8;\n Application Form                                                                                     IR-8; MP-3; PE-4; PM1 to\n Internet Website                                                                                     PM11; SA-10; SC-28; SC-\n                                                                                                                32; SI-7\nDiplomatic Security         BPMS          DS            Unclassified                Moderate         AC-22; AU-12; CM-9; IA-8;\n Business Process                                                                                     IR-8; MP-3; PE-4; PM1 to\n   Management                                                                                         PM11; SA-10; SC-28; SC-\n     System                                                                                                     32; SI-7\n Consular Shared             CST          CA            Unclassified                Moderate         AC-22; AU-12; CM-9; IA-8;\n      Tables                                                                                          IR-8; MP-3; PE-4; PM1 to\n                                                                                                      PM11; SA-10; SC-28; SC-\n                                                                                                                32; SI-7\n  Global Affairs          Dashboard       RM            Unclassified                  Low             AC-19; AC-22; AU-6; AU-\n   Dashboard                                                                                         12; CM-4; CM-7; CP-3; IA-\n                                                                                                     8; IR-2; IR-5; IR-8; PM-1 to\n                                                                                                     PM11; RA-5; SC-12; SC-15;\n                                                                                                             SC-20; SI-12\nDiversity Immigrant         DVIS          CA            Unclassified                Moderate         AC-22; AU-12; CM-9; IA-8;\n Visa Information                                                                                     IR-8; MP-3; PE-4; PM1 to\n      System                                                                                          PM11; SA-10; SC-28; SC-\n                                                                                                                32; SI-7\n  Enterprise Data           EDW           IRM           Unclassified                Moderate         AC-22; AU-12; CM-9; IA-8;\n    Warehouse                                                                                         IR-8; MP-3; PE-4; PM1 to\n                                                                                                      PM11; SA-10; SC-28; SC-\n                                                                                                                32; SI-7\n  Electronic Visa           EVAF          CA            Unclassified                Moderate         AC-22; AU-12; CM-9; IA-8;\n Application Form                                                                                     IR-8; MP-3; PE-4; PM1 to\n                                                                                                      PM11; SA-10; SC-28; SC-\n                                                                                                                32; SI-7\n   Visa Opinion             VOIS          CA            Unclassified                Moderate         AC-22; AU-12; CM-9; IA-8;\nInformation Service                                                                                   IR-8; MP-3; PE-4; PM1 to\n                                                                                                      PM11; SA-10; SC-28; SC-\n                                                                                                                32; SI-7\n  Resource and          Web RABIT         RM            Unclassified                Moderate         AC-22; AU-12; CM-9; IA-8;\nBudget Integration                                                                                    IR-8; MP-3; PE-4; PM1 to\n      Tool                                                                                            PM11; SA-10; SC-28; SC-\n                                                                                                                32; SI-7\n\n                    Bureaus                                          SP 800-53 Control Family\n   CA \xe2\x80\x93 Bureau of Consular Affairs          AC \xe2\x80\x93 Access Controls                            PE - Physical and Environmental\n                                                                                            Protection\n   DS \xe2\x80\x93 Bureau of Diplomatic Security       AU - Audit and Accountability                   PM - Program Management\n   IRM- Bureau of Information Resource      CM - Configuration Management                   RA - Risk Assessment\n   Management\n   RM- Bureau of Resource Management       IA - Identification and Authentication           SA - System and Services Acquisition\n                                           IR - Incident Response                           SC - System and Communications\n                                                                                            Protection\n                                            MP - Media Protection                           SI - System and Information Integrity\n\n                                                       51\n                                                  UNCLASSIFIED\n\x0c                                                  UNCLASSIFIED\n\n\n                                                                                                   Appendix G\n\n     G.FISMA Reportable Systems That Have Not Completed the FY 2012\n                         Contingency Plan Test\n        The systems described in the title of this appendix are shown as follows:\n\n          Name                        Acronym          Bureau                    Classification   Categorization\n\nOpenNet Plus Transport                OPENNET            IRM                     Unclassified       Moderate\nGSS\nGlobal OpenNet                           GO              IRM                     Unclassified       Moderate\nFreedom of Information                FREEDOMS            A                       Classified         M|L|L\nDocument Management\nSystem\nSecretariat Telegram                   STEPS II            S                       Classified        M|H|H\nProcessing System (Second\nEdition)\nSecretariat Tracking and               STARS               S                       Classified        M|H|M\nRetrieval System\nBottom of Form\nSPCD - (Classified)                    SPCNet           OBO                        Classified        M|H|H\n\n\n                                                         Legend\n                                                      Bureaus\n\n       A \xe2\x80\x93 Bureau of Administration                 OBO- Bureau of Overseas Building Operations\n       IRM- Bureau of Information Resource          S- Office of the Secretary\n       Management\n\n\n\n\n                                                       52\n                                                  UNCLASSIFIED\n\x0c                                                      UNCLASSIFIED\n\n\n                                                                                                              Appendix H\n\n    H.FISMA Reportable Systems Missing Alternate Processing Site Details\n        The systems described in the title of this appendix are shown as follows:\n\n          Name                        Acronym                 Bureau                 Classification          Categorization\n\nIIP Program Management                IIP-PMOS                   IIP                  Unclassified             Moderate\nand Outreach System\nGlobal INL                             GINL                     INL                   Unclassified              High\nAirwing Information System            AWIS                      INL                   Unclassified             Moderate\nOpenNet Plus Transport               OPENNET                    IRM                   Unclassified             Moderate\nGSS\nGlobal OpenNet                         GO                       IRM                   Unclassified             Moderate\nFreedom of Information              FREEDOMS                     A                     Classified               M|L|L\nDocument Management\nSystem\nSecretariat Telegram                  STEPS II                    S                     Classified              M|H|H\nProcessing System (Second\nEdition)\nSecretariat Tracking and               STARS                      S                     Classified              M|H|M\nRetrieval System\nBottom of Form\nSPCD - (Classified)                    SPCNet                   OBO                     Classified              M|H|H\n\n\n                                                                 Legend\n                                                              Bureaus\n\n       A \xe2\x80\x93 Bureau of Administration                         IRM- Bureau of Information Resource Management\n       IIP \xe2\x80\x93 Office of International Information Programs   OBO- Bureau of Overseas Building Operations\n       INL-Bureau of International Narcotics and Law        S- Office of the Secretary\n       Enforcement Affairs (INL)\n\n\n\n\n                                                           53\n                                                      UNCLASSIFIED\n\x0c                               UNCLASSIFIED\n\n\n                                                                                       Appendix I\n\n                    IDepartment of State Response\n\n\n                                                         United States Department of State\n                                                         Chieflnformution Officer\n                                                         Information Re~iOurce Management\n\n                                                         Washington, D.C. 20520-63//\n\nUNCLASSIFIED\n                                                           NOV 7 20;2\nMEMORANDUM\n\nTO:         OIG - Mr. Harold W. Geisel\n\nFROM:       IRM - Steven C. Taylor, Acting 51"\n\nSUBJECT: Department Response to Draft Report on Audit of Department of State\n         Information Security Program\n\nREF:        OIG Memo dated October 24, 2012 Subject: Draft Report on Audit of\n            Department of State Information Security Program\n\nThank you for the opportunity to provide a response to the subject report, Audit of\nDepartment of State Information Security Program. This memorandum is to\ninform you of the actions lRM has taken to comply with the requirements for\nrecommendations 1-30. For recommendations, 10, 11 , 16, 21 , 22, 27 , 28, and 29,\nwe thereby request that the status be "closed" and no further actions are required.\nForthe remaining recommendations, 1, 3, 4 , 5,6, 7, 9, 12,13,1 4, 17, 18, 19, 20,\n23,24, 25 , and 26, we thereby request that the status be changed from "resolved"\nto "closed" pending further actions. For recommendations 2 and 30, we agree that\nthey are "open" . Because of the separate issues identified in recommendations 8\nand 15, we request that the recommendations be revised as noted in our response.\nFor your information we have included the initial OIG recommendation and the\nDepartment Management Comments in Appendix A.\n\nShould additional information be requested, please contact Mr. William G. Lay at\n(703) 812-2339, for assistance. Thank you.\n\n\n\n\n                                    54\n                               UNCLASSIFIED\n\x0c                                   UNCLASSIFIED\n\n\n\n\n                                        UNCLASSIFIED\n                                   OIG Resolution Analysis\n                   Audit of Department of State b ifonnation Security Program\n                                 (AUD/IT-XX-XX, Nov. 2012)\n\n\n\nRecommendation 1. We recommend that the Information Security Steering Committee finalize\nand implement an enterprise-wide continuous monitoring and risk management framework\nstrategy that addresses framing risk. assessing risk, responding to risk, and monitoring risk.\n\nManagement Comments (November 2012): The Department concurs with this\nrecommendation. The Department has provided the OIG with a document specific to the finding\nentitled Continuous Monitoring Strategy willi Mitigation Risk-Based Framework. Within the\nnext six months. the document will be presented to the Information Security Sleering Committee\nfor review and approval.\n\nThe Department suggests that this recommendation is resolved and should be closed upon the\nInformation Security Steering Committee\'s finalization of the referenced document.\n\nRecommendation 2. We recommend the Chief Information Officer, in coord ination\nwith the Bureau of Diplomatic Security and the Bureau of Information Resource\nManagement, include, under its continuous monitoring program, an effective method to\nmonitor the security posture for non\xc2\xb7 Windows operating systems, databases, firewaUs,\nrouters , and sw itches.\n\nManagement Response <November 2012): The Department concurs with this\nrecommendation. The Chief Information Officer, in coordination with the Bureau of\nDiplomatic Security and the Bureau of Information Resource Management, will hold\ndiscussions and develop documentation identifying methods for monitoring the security\nposture for non\xc2\xb7 Windows operating systems, databases, firewalls, routers, and switches.\n\nThe Department suggests that this recommendation be left open.\n\nRecommendation 3. We recommend that the Ch ief Information Officer, in coordination\nwith the Bureau of Information Resource Management, Enterprise Network\nManagement, and the Bureau of Diplomatic Security, finalize and implement the Cyber\nSecurity Architecture draft target architecture and initiative for end\xc2\xb7to-end configuration\nmanagement.\n\nManagement Response <November 2012): While the Department believes that the\ncurrent configuration management controls for the Standard Operating Environment\n(SOE) platform have been fully documented and arc operating effectively and efficiently,\nfurther documentation of key components (e.g., Cyber Security Architecture and end-to\xc2\xb7\nend configuration management) may be required. As such, actions will be Laken to meet\nthe intent of this recommendation.\n\n\nThe Department suggests that the recommendation is resolved and should be closed.\n\n\n\n\n                                        55\n                                   UNCLASSIFIED\n\x0c                                     UNCLASSIFIED\n\n\n\n\n                                       UNCLASSIFIED\n                                   OIG Resolution Analysis\n                   Audit of Department of State Information Security Program\n                                 (AUDIlT-XX-XX, Nov. 2012)\n\n\nRecommendation 4. We recommend that the Chief lnfonnation Officer, in coordination\nwith the Bureau of Consular Affairs. the Bureau of Administration. the Bureau of\nResource Management, the Office of Medical Services, the Bureau of Overseas Buildings\nOperations, Lhe Bureau of International Narcotics and Law Enforcement Affairs. the\nForeign Service Institute, the Bureau of Diplomatic Security, the Bureau of International\nInformation Program, and the Bureau of Information Resource Management, continue to\nimprove their processes to patch servers within their system boundary in a timely manner.\n\nManagement Response (November 2012): The Department concurs with this recommendation.\nThe Department is continually improving processes to patch servers within their system\nboundary in a timely manner. Updates will be generated periodically via email or cable to\nensure that there is proper notification within the Department.\n\nThe Department suggests that the recommendation is resolved and should be closed.\n\nRecommendation 5. We recommend that the Security Configuration Management Branch\ndevelop and publish the security configuration baselines for UN IX in accordance with the\nForeign Affairs Manual.\n\nManagement\'s Response (November 2012): The Department concurs with this\nrecommendation. In collaboration with the Bureau of Diplomatic Security. the Department will\nreview, develop and publish the security configuration baselines for UNIX, as needed, in\naccordance with 12 FAM.\n\nThe Department suggests that the recommendation is resolved and should be closed upon the\npublishing of the referenced security configuration baselines.\n\nRecommendation 6. We recommend that the Chief Information Officer, in coordination with\nthe Bureau of Diplomatic Security/Security Infrastructure/Office of Computer Securi ty, research,\ndevelop, and implement capabilities (for example, scanning tools) to perform periodic network\nvulnerability and compliance scans on Oracle databases. applications, network devices (for\nexample, routers and switches), UNIX operating systems, and Demilitarized Zone servers.\n\nManagement Response (November 2012): The Office of Information Assurance and Bureau\nof Diplomatic Security have previously identified Lhese areas as requiring tools. The process of\nidentification and acquisition of the appropriate tools will continue and once acquired, those\ntool s will be incorporated into the Department\'s scanning program.\n\nThe Department suggests that this recommendation is resolved and should be closed upon the\nDepartment\'s utilization of the referenced tools.\n\nRecommendation 7. We recommend that the Chief Information Officer, in coordination\nwith Diplomatic Security/Security Infrastructure/Office of Computer Security, update the\n\n\n\n\n                                          56\n                                     UNCLASSIFIED\n\x0c                                    UNCLASSIFIED\n\n\n\n\n                                        UNCLASSIFIED\n                                   OIG Resolution Analysis\n                   Audit of Department of Stare Infonna tion Security Program\n                                (AUD/IT-XX-XX, Nov. 2012)\n\n\nFoundstone configuration to include subnets and Demilitarized Zone servers that were\nnot included in the Foundstone configuration for periodic scanning and obtain the\nadministrative credentials needed to perfonn the scans and periodically perform\ndiscovery scanning to idcnlify new components added to the network.\n\nManagement Response (November 2012): The Department concurs with this recommendation.\nThe Office of Infannalion Assurance and !.he Bureau of Diplomatic Security have identified\nthese areas for improvement in the current scanning capab ility and are working collaboratively to\nestabli sh th is capab ility.\n\nThe Department suggests closure of this recommendation and should be closed upon the\nestablishment of the referenced capability.\n\nRecommendation 8. We recommend that the Chief Information Officer, in coordination with\nrespective System Administrators from all bureaus, take immediate action to remove or lock\naccounts that do not require a password and disable accounts that have not been used within the\npast 90 days.\n\nManagement Response (November 2012): The Department does not concur with this\nrecommendation ali stated and request that it be revised to separately address 1) accounts\nthat do not require a password, and 2) accounts that have not been used within the past 90\ndays.\n\nRegarding accounts that do not require a password, the Department concurs with this\nrecommendation and suggests that this recommendation is resol ved and should be\nclosed. The Department has taken corrective action on accounts that do not require a\npassword. IRM now receives automatic Active Directory alerts when any account is\ncreated that does not require a password. This results in an immediate intervening\nresponse by IRMiIA.\n\nRegarding the passwords that have not been used within the past 90 days, this is a separate issue\nand it is recommended that this portion of the recommendation be addressed in recommendation\n9.\n\nRecommendation 9. We recommend that the Chief lnfonnation Officer, in coordination with\nthe Bureau of Diplomatic Security, revise the Foreign Affairs Manual to provide authority 10 the\nChief Information Officer to review and identify accounts not used within the past 90 days and to\ndc-activate such accounts and require lhe bureaus and posts to recertify the user account prior to\nre-activating the account.\n\nManagement Response (November 2012): The Department concurs with this recommendation\nand has initialed actions in coordination with the Office of Diplomatic Security to revise the 12\nFAM to include language that provides authorilY 10 the Chief Infonnation Officer to review and\n\n\n\n\n                                         57\n                                    UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n\n                                          UNCLASSIFIED\n                                    OIG Resolution Analysis\n                    Audit of Department o/State injomlGlioll Security Program\n                                 (AUD/IT-XX-XX, Nov. 2012)\n\n\nidentify accounts not used within the past 90 days and to de-activate such accounts and require\nthe bureaus and posts to recertify the user account prior to fe-activating the account.\n\nThe Department suggests that this recommendation is resolved and should be closed upon\nissuance of the referenced FAM update.\n\nRecommendation 10. We recommend that the Chief Information Officer, in coordination with\nbureau and post Data Center Managers and System Managers. require the posts and bureaus to\nconfigure all accounts to require an account password in accordance with the Foreign Affairs\nManual.\n\nManagement Response (November 2012): The Department does not concur with this\nrecommendation because the Department\'s actions are compliant with the applicab le FAM.\nSpecifically, the Department requires that user accounts be configured to require an account\npassword.\n\nThe Department suggests that this recommendation be closed.\n\nRecommendation 11. We recommend that the Chief Information Officer, in coordination with\nBureau of Diplomatic Security, determine whether unauthorized access was performed using the\nterminated employees \' credentials and whether Department information had been compromised.\n\nManagement Response (November 2012): The Department concurs with this\nrecommendation. As the OIG\'s report indicates, corrective actions have been taken by the\nBureau of Information Management to disable and remove the accounts from Active Directory\nand analyses is conducted to determine if any unauthorized activities had been performed on\nthese accounts.\n\nThe Department suggests that this recommendation be closed.\n\nRecommendation 12. We recommend that the Chief Information Officer, in coordination with\nInformation System Security Officers and system administrators of the Bureau of East Asian and\nPacific Affairs, the Bureau of Near Eastern Affairs, the Wa~hiI1gton District of Columbia, and\nthe Bureau of Western Hemisphere Affairs. improve the process of disabling tenllinalt:u\nemployees user accounts in a timely manner.\n\nManagement Response (November 2012): The Department concurs with this\nrecommendation. To improve the process, the Chief Information Officer, in coordination with\nregional and funct ional bureaus, will initiate a pol icy that requires periodic review ensuring that\nterminated employees user accounts are disabled in a timely manner.\n\nThe Department suggests that this recommendation is resolved and should be closed upon\nissuance of the referenced pol icy.\n\n\n\n\n                                            58\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n\n                                        UNCLASSIFIED\n                                   OIG Resolution Analysis\n                   Audit of Department of Slate Information Security Program\n                                (A UDIIT-XX-XX. Nov. 2012)\n\n\n\nRecommendation 13. We recommend that the Chief Information Officer, in coordination with\nthe Orientation and In-Processing Center. enforce the usc of the Depanment of State Logon\nRequest fonn for new users in Afghanistan.\n\nManagement Response (November 2012): The Department concurs with this recommendation.\nIn coordination with the Orientation and In-Processing Center, a proce..<;s will be developed and\nimplemented ensuring that new users in overseas locations complete the Department of State\nLogon Request fonn.\n\nThe Department suggests that this recommendation is resolved and should be closed upon the\nimplementation of the referenced process.\n\nRecommendation 14. We recommend that the Chief information Officer, in coordination with\nInformation Resource Management/Operations Directorate/Computer Security OfficclDesktop\nSupport Division, update the Information Technology Mart Standard Operating Procedures to\nreflect the updated account management procedures for new users in Afghanistan.\n\nManagement Response (November 2012): The Department concurs with this recommendation\nand will develop and update procedures on account management for new users in overseas\nlocations.\n\nThe Department suggests that this recommendation is resolved and should be closed when the\nreferenced procedures are updated.\n                                                                                                    Ree. 15 11m. become\nRecommendation 15. We recommend that the Chief Information Officer. in coordination with            Rec,\\\'. J5 and 16 ill\nOffice of the Secretary, develop and fmalize exemptions/waivers to allow for the deviation from     tlte filial report.\nthe standard of setting expiration dates for Office of the Secretary user account<; in Active\nDirectory and develop and implement a process that ensures that Office of the Secretary users\ncomplete the required Cybcr Security Awareness Training on an annual basis.\n\nManagement Response <November 2012): The Department does not concur with this\nrecommendation as staled and requests that it be revised to separately address 1)\nexemptions/waivers to allow for the deviation from the standard of setting automatic expirations\ndates for Active Directory user accounts in the Office of the Secretary, and 2) develop and\nimplement a process that ensures that the Office of the Secretary users complete the required\nCyber Security Awareness Training on an annual basis.\n\nRegarding exemptions/waivers, the Department concurs with this recommendation. SIES\nalready has a procedure in place to set expiration dates manually for user accounts in Active\nDirectory; a waiver to the automatic expiration policy will allow SIES to continue monitoring the\naccounts and modifying them manually to ensure no interruption in service and compliance with\nthe relevant portions of the DS Security policy. The Department suggests that this\n\n\n\n\n                                            59\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n\n                                        UNCLASSIFIED\n                                   OIG Resolution Analysis\n                   Audit of Department of Slate Information Security Program\n                                (AUDIIT-XX-XX, Nov. 2012)\n\n\nrecommendation is resolved should be closed when me referenced policy is issued and\nreferenced process is implemented.\n\nRegarding users complete the required Cyber Security Awareness Training on an annual basis.\nthe Department concurs with this recommendation and suggests that this recommendation is\nresolved and should be closed. S/ES will ensure all employees receive cyber security awareness\ntraining/briefings as required by The Federal Information Security Management Act of 2002\n("FISMA", 44 U.S.C. \xc2\xa7 3541, et seq.)\n\nRecommendation J6. We recommend that the Chief Information Office, in coordination with          Nee. 16ltas become\n                                                                                                 Nee. 17 ill the filial\nInformation Resource Managementllnformation Assurance, continue to review the security           report.\nauthorization and annual assessments to ensure that Information System Owner, Information\nSystem Security Officer, and Security Control Assessor for all Federallnformation Security\nManagement Act reportable systems use the published Cenification & Accreditation Toolkit\ntemplates during the arumal controls assessment to assess the required Nationallnstitute of\nStandards and Technology Special Publication 800-53, Revision 3, Recommended Security\nControls/or FederallnfonnaJion Systems and Organizations controls applicable and update the\nSystem Security Plan accordingly.\n\nManagement Response (November 2012): The Department asserts that the referenced\npractices and controls are being fully implemented, and therefore does not concur with this\nrecommendation.\n\nThe Department suggests that this recommendation be closed.\n                                                                                                 Nee. 17/1(1.\\" become\nRecommendation 17. We recommend that the Chief Infonnation Officer continue to                   Nee. /8 ill tltefilla!\n                                                                                                 report.\ntrack the progress of the full authorization of the OpenNer general support system.\n\nManagement Response (November 2012): The Department concurs with this\nrecommendation. The Chief Information Officer, the Bureau of IRM\'s Office of Information\nAssurance, and the Office of Operations are all expending Significant time and resources to\nensure progress of the full authorization of the OpenNet general support system is occurring.\nOngoing progress reports are submitted to the Chief Infonnation Officer.\n\nThe Department suggests that this recommendation be closed.\n                                                                                                 Nee. 18 has become\nRecommendation 18. We recommend thatlhe Chief lnfonnation Officcr. in                            Nee. !9 ill tltefillul\ncoordination with Information Resource ManagementlInformation Assurance and Office               report.\nof Computer Security (Diplomatic Security/Systems Integrity/Civil Service), update the\nInformation Assurance Training Plan to require newly hired and current employees and\ncontractors who are in positions that are responsible for the security of the organization\'s\ninformation and information systems complete role-based security-related training before\n\n\n\n\n                                            60\n                                       UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n\n                                        UNCLASSIFIED\n                                  OIG Resolution Analysis\n                   Audit of Department of Slale injormaJion Security Program\n                                (AUD/IT-XX-XX, Nov. 2012)\n\n\nauthorizing access to the system or performing assigned duties and periodically thereafter\n(for example. annually).\n\nManagement Response <November 2012): The Depanment concurs with this\nrecommendation. The Office of Information Assurance and Office of Computer Security have\ninitiated actions to update the Information Assurance Training Plan and develop additional\nlanguage on newly hired and current employees, contractors, including role-based security-\nrelated training.\n\nThe Department suggests that this recommendation is resolved and should be closed\nwhen the referenced actions are implemented.\n                                                                                                  Ree. 19 lias become\nRecommendation 19. We recommend that the Chief Information Officer, in                            Ree. 20 i/llheftllal\ncoordination with Information Resource Management!lnformation Assurance and all                   report.\nbureaus develop and implement monitoring processes and procedures to ensure that\npersonnel with significant security responsibilities receive the appropriate training in\naccordance with the Information Assurance Training Plan.\n\nManagement Response (November 2012): The Department concurs with this recommendation\nand believes both recommendation 18 and 19 are related. The Office of Information Assurance\nand Office of Computer Security have initiated actions to update the Information Assurance\nTraining Plan and develop additional language on newly hired and current employees,\ncontractors. including role\xc2\xb7based security\xc2\xb7related training.\n\nThe Department suggests that this recommendation is resolved and should be closed\nwhen the referenced actions are implemented.\n                                                                                                  Ree. 20 lias hecome\n                                                                                                  Rec. 21 ill \'heft"al\nRecommendation 20. We rcconunend that the Chief Infonnation Officer, in coordination with         report.\nthe Bureau of Consular Affairs, the Bureau of Information Resource Management, the Bureau of\nHuman Resources, the Office of Medical Serviccs. the Bureau of Arms Control, Verification and\nCompliance. the Office of the Secretary, and the Bureau of Overseas Buildings Operations\nBureau Executive Director or Information System Owner, their equivalent, or a designee, ensure\nthat responses are provided for the Quarterly Plan of Action & Milestones Grade Memorandums\nto address how the bureaus and offices plan to close out the outstanding plan of action and\nmilestones, that the plan of action and milestones completion dates for corrective actions that\nexpired are updated and the resources required for remediation are updated, that remediation\nactions undertaken for plan of action and milestones are verified in a timely manner, and that\nrequired fields within the plan of action and milestones are included (for example, resources).\n\nManagement Response (November 2012): The Department concurs with this\nrecommendation. However. the Department wishes to share there has been notable progress on\nthis matter the past few months. As an example, the Office of Information Assurance ha~ taken\n\n\n\n\n                                            61\n                                       UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\n\n\n                                       UNCLASSIFIED\n                                 OIG Resolution Analysis\n                  Audit of Departmeni of Stale in/ormaJion Security Program\n                               (AUD/IT-XX-XX, Nov_ 2012)\n\n\naction to include in the recently issued Plan of Action and Milestones (POA&M) grading\nmemos, instructions for the Bureaus to respond within 10 business days on their plans to\nremediate and close open POA&M entries. A repon of the responders has been sent to the Chief\nInformation Security Officer for further action and escalation.\n\nThe Department suggests that this recommendation is resolved and should be closed upon\nOIG validation of the referenced actions.\n                                                                                                  Ree. 21 lias become\nRecommendation 21. We recommend that the Chief information Officer, in coordination with          Ree. 22 in/he j blOl\nthe Bureau of Diplomatic Security, update the Foreign Affairs Manual, 12 FAM 680, to reflect      report.\nthe current process of granting administrators the capabilities for remote administration (for\nexample, allowing exception waivers for remote access administration).\n\nManagement Response (November 2012): The Department does not concur with this\nrecommendation. The current 12 FAM policy is clear and unambiguous on this topic. In\naddition, the Office of Information Assurance\'s policy 00 the exemption process provides that\neach exemption is fully documented and available for review.\n\nThe Department suggests that this recommendation be closed.\n                                                                                                  Ree. 2211(15 become\nRecommendation 22. We recommend that the Chief Information Officer, in coordination with          Ree. 23 ill tile filial\n                                                                                                  reporl.\nall bureaus and respective Executive Directors. improve their process for submitting service\nrequcslS to the Information Technology Service Center for key fobs/tokens for new employees.\n\nManagement Response (November 2012): The Oeparunenl does not concur with this\nrecommendation because the Department is compliant with the Office of Management and\nBudget\'s requirement to track fobs/tokens to identify the personnel who participate in telework\noPpoItunitics.\n\nThe Department suggests that this recommendation be closed.\n                                                                                                  Ree. 23 has become\nRecommendation 23. We recommend that the Chief Information Officer, in coordination with          Ree. 24 in thefil10l\nthe Bureau of Diplomatic Security, update the Foreign Affairs Manual to provide guidance and      report.\ndirection for Continuity of Operations Plan development and implementation.\n\nManagement Response (November 2012): The Department concurs with this recommendation\nand is currently working with OS to update the FAM.\n\nThe Department suggests that this recommendation is resolved and should be closed upon\nissuance of the referenced FAM update.\n                                                                                                  Ree. 24 has become\nRecommendation 24. We recommend that the Chief Information Officer. in coordination with\n                                                                                                  Rec. 25 ill Illefillal\nthe Bureau of Infonnatioo Resource Management/Information A\'Osurance, perform an entity-          repOrt.\n\n\n\n\n                                           62\n                                      UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\n\n\n                                        UNCLASSIFIED\n                                    OIG Resolution Analysis\n                   Audit of Depanmenr of Slate Information Securiry Program\n                                (AUD/IT-XX-XX, Nov. 2012)\n\n\nwide Business Impact Analysis and develop a strategy to prioritize recovery of the critical assets\nwithin the Department and align the Business Impact Analysis of the primary mission-critical\nfunctions with Information Resource Management\'s Maximum Tolerable Downtime for the\nnetwork.\n\nManagement Response (November 2012): The Department concurs with this recommendation\nand has taken corrective actions to develop a Business Impact Analysis.\n\nThe Department suggests that this recommendation is resolved and should be closed upon\nissuance of the referenced Business Impact Analysis.\n                                                                                                     Ree. 25110.\'; become\nRecommendation 25. We recommend that the Chief Information Officer, in coordination with             Nee. 26 ill the filial\nthe Bureau of Information Resource Management/Information Assurance, develop a Continuity            report.\nof Operations Plan for communications and the infrastructure at the Department level (entity)\nthat complies with National Institute of Standards and Technology Special Publication 800-34.\nRevision I, Contingency Planning Guide for Federallnfonnation Systems, and includes the\nstandard elements of a Continuity of Operations Plan.\n\nManagement Response (November 2012): The Department concurs with this recommendation\nand is taking the following actions:\n   \xe2\x80\xa2 The Chief Information Officer and the Office of Information Assurance are currentl y\n        developing a Continuity of Operations Plan for communications that complies with the\n        applicable N1ST guidance and will include the standard elements of a Continuity of\n        Operations Plan.\n\nThe Department suggests that this recommendation is resolved and should be closed upon the\nissuance of the referenced Continuity of Operations Plan.\n                                                                                                     Ree. 26 lias become\nRecommendation 26. We recommend that the Chief Information Officer, in coordination with             Ree. 27 illtheft/lOi\nbureaus and the Information System Owners, document and maintain alternate site locations and        report.\nprocedures for accessing the alternate site and perform annual contingency plan tests and update\ncontingcncy plans with test results as necessary.\n\nManagement Response (November 2012): The Department concurs with this\nrecommendation. The Office of Information Assurance has taken corrective actions to\nincorporate checklists questions regarding the exislence of alternate site locations, as well as\nprocedures for accessing these facilities. In addition. Annual Contingency Plan tests are\nperformed annually and there is a Contingency Plan toolkit on the Office of Information\nAssurance\'s website that provides instructions to Bureau personnel for the testing and reporting\nof Contingency Plans.\n\nThe Department suggests that this recommendation is resolved and should be closed upon OIG\nvalidation of the referenced actions.\n\n\n\n\n                                           63\n                                      UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n\n                                        UNCLASSIFIED\n                                  DIG Resolution Analysis\n                   Audit of Depanment of State Information Security Program\n                                (AUDfIT-XX-XX. Nov. 2012)\n\n\n                                                                                                       Ree. 27 has become\nRecommendation 27. We recommend that the Chief Information Officer, in coordination with Ree. 28 ifl/heftl/al\n                                                                                           - . !eport.\nthe Bureau of Diplomatic Security, continue to ensure that annual physical inspections are\ncompleted for all OpenNet and ClassNet extensions.\n\nManagement Response (November 2012): The DepaJtment concurs with this recommendation\nand will continue to ensure compliance with established schedules.\n\nThe Department suggests that this recommendation be closed.\n                                                                                                        Nee. 28 has become\n                                                                                                        Ree. 29 illlhejil1l,t\nRecommendation 28. We recommend that the Chief Information Officer, in coordination with              _ report.\nthe Bureau of Information Resource Management/Information Assurance. continue to review\nSystem Security Assessment packages, annual controls assessments, and contingency plans tests\nto ensure that bureaus are implementing the required National Institute of Standards and\nTechnology Special Publication 800-53, Revision 3, Recommended Security Controls for\nFederal Information Systems and Organizatiom controls and updating System Security Plans for\nthe contractor-hosted systems.\n\nManagement Resoonse (November 2012): The Department concurs with this\nrecommendation. The Department will continue to conduct the nonnal processing reviews to\nensure compliance with NIST SP 800-53 rev. 3 and subsequent revisions.\n\nThe Department suggests that this recommendation be closed.\n                                                                                                        Rec. 29110.\\\' become\n                                                                                                        Ree. 30 ill tltejillal\nRecommendation 29. We recommend that the Chief Infonnation Officer, in coordination with\n                                                                                                        report.\nthe Bureau of lnfonnation Resource Management/Information Assurance, implement procedures\nto coordinate security activities for tracking all extensions (that is, contractor sites and other\ngovernment agencies via iPost) to OpenNet and ClassNet.\n\nManagement Response <November 2012): The Department does not concur with this\nrecommendation. While the Department asserts the current process in practice arc effective.\nperiodic review of the process will be conducted and updates made when needed.\n\nThe Department suggests lhat this recommendation be closed.\n                                                                                                        Rec. 30 "as become\nRecommendation 30. We recommend that the Bureau of Information Resource Management                      Ree. 31 il1l11e jinal\nsenior management ensure that Information Technology Service Line Program Managers obtain               report.\nthe appropriate level of electronic Capital Planning Investment control tool training and\nunderstanding regarding their electronic Capital Planning Investment Control reponing\nrequirements and that they are held accountable for completing their respective Exhibits 300.\nincluding the accurate reporting of the resources required to protect their information systems, as\npart of the next electronic Capital Planning Investment Control submission\n\n\n\n\n                                            64\n                                       UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\n\n\n                                       UNCLASSIFIED\n                                 OIG Resolution Analysis\n                  Audit of Department of State Information Security Program\n                               (AUD/IT-XX-XX, Nov. 2012)\n\n\nManagement Response (November 20 12): The Depanment concurs with this recommendation\nand is identifying training opportunities to further understand the reporting requirements need to\nensure accurate reporting of Capital Planning Investment Control submissions.\n\nThe Department suggests that the recommendation be left open.\n\n\n\n\n                                           65\n                                      UNCLASSIFIED\n\x0c       UNCLASSIFIED\n\n\n\n\n FRAUD, WASTE, ABUSE,\n OR MISMANAGEMENT\nOF FEDERAL PROGRAMS\n   HURTS EVERYONE.\n\n          CONTACT THE\n  OFFICE OF INSPECTOR GENERAL\n             HOTLINE\n       TO REPORT ILLEGAL\n    OR WASTEFUL ACTIVITIES:\n\n\n         202-647-3320\n         800-409-9926\n      oighotline@state.gov\n          oig.state.gov\n\n   Office of Inspector General\n    U.S. Department of State\n         P.O. Box 9778\n     Arlington, VA 22219\n\n\n\n\n       UNCLASSIFIED\n\x0cUNCLASSIFIED\n\n\n\n\nUNCLASSIFIED\n\x0c'